U2F Multi-Factor Authentication in Chrome


U2F Multi-Factor Authentication in Chrome

This issue was fixed in the 3.1.0 release of Kion. We now use the Web Authentication API instead of the U2F API. If you use U2F authentication, we strongly suggest upgrading to the latest release of Kion.

U2F (FIDO Universal Second Factor) is an optional multi-factor authentication method for the Kion internal directory. It enables using FIDO U2F authentication devices such as a Yubikey.

Chrome 95+ now displays a deprecation warning if you are using a web application, such as Kion, with U2F authentication via the U2F API. Starting with Chrome 98 (available for beta in January 2022 and generally available in February 2022), the U2F API will be disabled by default.

This does not impact you if you use U2F devices through a SAML 2.0 provider. This does not impact you if you use TOTP authentication (Google Authenticator, etc.) for the Kion internal directory.

This issue was fixed in the 3.1.0 release of Kion. If you do not upgrade to the latest release of Kion, you should not plan to upgrade to Chrome 98.

User Experience

All Kion users using U2F for multi-factor authentication with the Kion internal directory will start receiving the following message in Chrome:

This site won't be able to use the U2F API after February 2022. If you own this site, you should change it to use the Web Authentication API.

Users must select Allow from the dialog to continue each time they access Kion. Selecting Blockdisables their two-factor authentication.

Until You are Able to Upgrade

If you are unable to upgrade to v3.1.0 or later, we suggest identifying impacted users and limiting the issue's impact on them as much as possible.

Identify Impacted Users

You can identify user accounts that currently have U2F enabled using a query against the database.

To query the database:

  1. Connect to one of your Kion app nodes.
  2. Access the root directory using sudo su -.
  3. Connect to the database using dbconnect.
  4. Once you are at the mysql> prompt, enter:
    select username,email from user where idms_id = 1 and id in (select distinct user_id from yubikey_app_user where deleted_at is null) and deleted_at is null;
  5. You will see a list of users using U2F authentication and their email addresses.
    • Any listed users are impacted by this issue. See the Limit User Impact section for details on what to do next.
    • An empty result indicates that you have no affected users in your system. No further action is required.

Limit User Impact

Once you have identified which users in your system are impacted by this issue, we recommend:

  • Notify your impacted users. Let the impacted users know that they should not update to the Chrome 98 beta in January.
  • Follow this page. Click the Follow button at the top right of this page to ensure that you receive any additional information that we add.

Alternate Paths

If you are unable to update your environment but are impacted by this issue, consider these workarounds to limit user impact.

ClosedImplement the Google Enterprise Policy for Chrome

ClosedTemporarily switch to TOTP multi-factor authentication

ClosedImplement SAML 2.0 with 2FA