Skip to content

Resolve "Switch to Web Authentication (Webauthn) for 2FA for U2F and FIDO2 tokens"

Jan Beckmann requested to merge kingjan1999/gitlab-ee:22506-webauthn into master

What does this MR do?

This MR introduces support for the FIDO2 / WebAuthn standard, which supersedes the old U2F (FIDO 1) standard GitLab is currently supporting for multi-factor authentication. WebAuthn works for more browser and with more devices.

Although U2F stored credentials are compatible with WebAuthn, this MR intends to gradually migrate (using a background migration) them to WebAuthn stored credentials, ultimately removing U2F completely from the code base. I currently don't know how long this background migration takes for a large production instance, but I'd suggest it is safe to completely remove the u2f_registrations table and other U2F-fallback code in one of the next minor releases after this MR gets into production. Please note: The background migration currently does only work in the specs, but not in "real life" (the migration gets scheduled but not executed - might be a problem with my setup). I might be able to fix this in the next few days, otherwise I'd suggest removing the background migration entirely for now, as this works fine without the migration.

This MR also comes along with "replacing" (almost) any occurrence of "U2F" with "WebAuthn" (UI, Docs, Code) to avoid any confusion.

Screenshots

Register / Login didn't change very much compared to U2F, so I'll only provide two selected screenshots:

Registration

Register

Updated error screen

WebAuthn returns DOMException instead of error codes as U2F did, so I've opted to display the names of these exceptions.

Login error screen

Does this MR meet the acceptance criteria?

Conformity

Database checklist

When adding migrations:

  • Updated db/schema.rb
  • [-] Added a down method so the migration can be reverted
  • Added the output of the migration(s) to the MR body
Migration output
== 20191112212815 CreateWebAuthnTable: migrating ==============================
-- create_table(:webauthn_registrations)
   -> 0.3665s
-- add_column(:users, :webauthn_id, :string, {:limit=>86})
   -> 0.0011s
== 20191112212815 CreateWebAuthnTable: migrated (0.3677s) =====================

== 20191114204551 ConvertU2fToWebauthn: migrating =============================
-- Scheduling ConvertU2fToWebauthn background migration jobs
== 20191114204551 ConvertU2fToWebauthn: migrated (0.0290s) ====================
  • Added tests for the migration in spec/migrations if necessary (e.g. when migrating data)
  • Added rollback procedure. Include either a rollback procedure or description how to rollback changes

When adding tables:

  • Ordered columns based on the Ordering Table Columns guidelines
  • Added foreign keys to any columns pointing to data in other tables
  • Added indexes for fields that are used in statements such as WHERE, ORDER BY, GROUP BY, and JOINs

Availability and Testing

Tested under Ubuntu (Firefox, Chrome), Win10 (Firefox, Chrome, Edge, IE11), Mac OS (Safari) and Android (Chrome) with a security key (YubiKey) and fingerprint sensor (Android).

Closes #22506 (closed) and several other U2F-related issues (such as #24068 (closed), #35109 (closed), #33269 (closed), #25842 (closed))

Edited by Jan Beckmann

Merge request reports