Sunset U2F in favor of WebAuthn #10375
Assignees
Labels
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
platform-security
Comments
codingllama
added
the
feature-request
|
@codingllama Can we migrate users from U2F to webauthn automatically? Or would this mean during an upgrade users would have to re-register? |
The change should be seamless for end-users - no re-registration or other actions. We can tweak the details, but the current plan is: starting from v10 it's still possible to use "u2f" as a second_factor setting, but it emits a warning and seamlessly changes the backing implementation to WebAuthn (so no more "u2f" devices will be registered). We'll remove as much API surface as possible here. In v11 all "u2f" options and remaining APIs are removed; at this stage admins have to change from second_factor "u2f" to a supported setting ("on", "optional" and "webauthn" all work). |
This was referenced Feb 18, 2022
Merged
codingllama
added a commit
that referenced
this issue
Feb 23, 2022
Alias the "u2f" second factor mode to "webauthn", effectively sunsetting U2F in favor of WebAuthn. The change effectively disables "U2F mode" server-side, making Teleport use WebAuthn instead. This is in line with our compatibility promise, as Teleport 8.x clients are already WebAuthn-capable (and thus have no problems talking to the cluster). I have cleaned up a good chunk of U2F references in lib/web and lib/client, plus a few other places. Changes on lib/auth are just the necessary to get the tests back to good standing. There is more work to be done, but this seems enough for a single PR. #10375 * Remove "Disabled" field from types.Webauthn * Update generated protos * Treat second_factor "u2f" as "webauthn" * Remove references to Webauthn.Disabled * Remove U2F from lib/web/ * Remove U2F from lib/client/ * Remove U2F from lib/auth/ (partially) * Fix issues after rebase on master * Fix typo
codingllama
added a commit
that referenced
this issue
Feb 24, 2022
Follows up on #10466 by removing remaining U2F references, including proto/gRPC surface and the lib/auth/u2f package itself. #10375 * Remove U2F from lib/auth/ (1) * Remove U2F from lib/auth/ (2) * Remove U2F from lib/auth/ (3) * Remove U2F from lib/services/ * Remove U2F from tsh mfa add suggestions * Remove U2F protos * Update generated protos * Cleanup a few stragglers * Remove lib/auth/u2f package * Fix references to auth.MFAAuthenticateChallenge * Revert needless lib/auth/password.go change * Update e/ to ad8fd4a (U2F cleanup) * Fix stragglers from latest master rebase * Fix lint and compile failures
This is now complete. In addition, I've done a rather comprehensive cleanup. For v11 all that's left is clearing out the user-visible bits (constants.SecondFactorU2F, lib/config and maybe a few other places). The more interesting decisions for v11 are:
The App ID has to remain, at least in some form, so legacy devices keep working. Migrating the U2F storage devices simplifies the code a bit, but it's not paramount. |
|
Remaining cleanup tasks
v11
|
3 tasks
This was referenced May 19, 2022
codingllama
added a commit
that referenced
this issue
May 31, 2022
U2F facets don't serve a purpose since Webauthn became the de-facto MFA mechanism. This should make it easier for users to write v10-style authentication configs. The remaining U2F fields are still relevant for when we derive Webauthn settings from U2F, so those are kept (and validated). Note that we still keep the fileconf field, since we don't want configs to needlessly break during version upgrades. #10375 * Remove references to U2F.Facets * Remove Facets from U2F proto * Reinstate proto Facets field U2F gets marshaled as JSON to storage, so we better keep the field to avoid issue with resource configs. * Add deprecation notice on comment * Update generated protos
codingllama
added a commit
that referenced
this issue
Jul 6, 2022
Add a batch of public documentation changes that cover: * Passwordless (new guide and various links) * WebAuthn updates in regards to U2F * U2F documentation removal (superseded by WebAuthn) * Updated config reference (`teleport.yaml` and equivalents) * Updated `tsh` reference This should cover the bulk of the work under Passwordless (#9160) and U2F sunset (#10375). #9160 Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
codingllama
added a commit
that referenced
this issue
Jul 6, 2022
Add a batch of public documentation changes that cover: * Passwordless (new guide and various links) * WebAuthn updates in regards to U2F * U2F documentation removal (superseded by WebAuthn) * Updated config reference (`teleport.yaml` and equivalents) * Updated `tsh` reference This should cover the bulk of the work under Passwordless (#9160) and U2F sunset (#10375). Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
codingllama
added a commit
that referenced
this issue
Jul 6, 2022
…4163) Add/update docs for passwordless, WebAuthn and U2F (#13314) Add a batch of public documentation changes that cover: * Passwordless (new guide and various links) * WebAuthn updates in regards to U2F * U2F documentation removal (superseded by WebAuthn) * Updated config reference (`teleport.yaml` and equivalents) * Updated `tsh` reference This should cover the bulk of the work under Passwordless (#9160) and U2F sunset (#10375). Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
codingllama
added a commit
that referenced
this issue
Oct 5, 2022
Address TODOs, add deprecation warnings and remove as many U2F code references as possible. Existing behavior is kept unaltered: it's still possible to inform Teleport of old U2F AppIDs and U2F configurations are still silently converted to WebAuthn. There's no reason to break that, so we don't. Most server-side references to SecondFactorU2F are removed, but client-side references remain: this makes it possible to interop newer clients with old clusters (something else may break, but hopefully not this part). Closes #10375.
rosstimothy
added a commit
that referenced
this issue
Jun 17, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
github-merge-queue bot
pushed a commit
that referenced
this issue
Jun 17, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
github-actions bot
pushed a commit
that referenced
this issue
Jun 17, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
rosstimothy
added a commit
that referenced
this issue
Jun 20, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
rosstimothy
added a commit
that referenced
this issue
Jun 20, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
rosstimothy
added a commit
that referenced
this issue
Jun 20, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
github-merge-queue bot
pushed a commit
that referenced
this issue
Jun 24, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
github-merge-queue bot
pushed a commit
that referenced
this issue
Jun 24, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
github-merge-queue bot
pushed a commit
that referenced
this issue
Jun 24, 2024
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What
Teleport supports WebAuthn since 8.x and we are fast moving to a passwordless world. It's time to sunset U2F.
How
The WebAuthn RFD talks about the U2F phase out, which is split in two phases:
The original intent was to land 1. in Teleport 9, but time flies, so we are likely looking at releases 10 and 11, respectively.
The text was updated successfully, but these errors were encountered: