Works fine, except for one thing

  • I like how it works, but I only give it 3 stars because of this:

    When I first registered my keys, it allowed to access with no password and just with the key inserted and a non-biometric touch. No PIN, and no fingerprint was required to access, I guess that it just uses FIDO U2F standard by default.

    This should never be allowed, at least by default. To solve it, I had to change, in the settings, “user verification”. This should be mandatory.

    According to the owner, this is configured like that because mobile devices do not work with WebAuthn. I’d rather to allow always the possibility of using password + U2F than this option. U2F for passwordless authentication should NEVER be allowed.

    If it is corrected, I would give 5 stars, because besides this it works fine.

    • This topic was modified 2 years, 11 months ago by josevirtual.
    • This topic was modified 2 years, 11 months ago by josevirtual.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Axton

    (@axton)

    It requires PIN or not depends on your authenticator, your system and the way you register your authenticator.

    Make sure you have “user verification” enabled in the plugin settings (which is disabled by default) and re-register your authenticators. On most authenticators “user verification” makes them ask for PIN.

    Please note that some systems do not support “user verification” (Android, for example) and that’s why “user verification” is disabled in plugin settings by default. Anyway, if you need PIN please check that option out!

    In fact, in WebAuthn we treat the authenticator as a safe password. So you are fine if you keep the authenticator well. “user verification” is an extra protection and authenticators handle this in different ways. Most authenticators will ask for a PIN.

    Hope that could help you.

    Thread Starter josevirtual

    (@josevirtual)

    That’s right. However, as I have mentioned in my edited review, FIDO U2F should never allow to access without password. Only WebAuthn (FIDO2) is secure enough to allow Passwordless Authentication. It is a basic rule regarding secure authentication.

    Everything else looks fine for me in the plugin.

    Plugin Author Axton

    (@axton)

    Android doesn’t support user verification and user verification will not be supported in a short time. So that’s a compromise. You can track this issue here: https://bugs.chromium.org/p/chromium/issues/detail?id=997538

    I believe for most users the default settings is secure enough. If someone else get your authenticator somehow, they do not know which services this authenticator has registered and which username you have used, so they cannot login to your account. For users who have higher security expectations, they can enable user verification feature, which is a FIDO2-only feature and will make the plugin reject all U2F authenticators.

    Anyway, I’ll add a security warning next to the user verification option in later versions of this plugin. Thank you for using WP-WebAuthn and sorry for the inconvenience.

    Thread Starter josevirtual

    (@josevirtual)

    Thanks for your answer. I think that the warning is a good idea.

    Android users should use their password, U2F never should be the only security factor. The username is not a secure factor at all, in many WordPress websites it is very easy to find it, and people reuse usernames, hackers may easily guess them. You probably should allow password access for every user that does not use FIDO2.

    Summarizing, the FIDO standards are designed to be used in this way:

    Username + Password + FIDO U2F
    Only FIDO2, o just with the username

    Many companies even ask for password + FIDO2

    I hope this helps

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Works fine, except for one thing’ is closed to new replies.