U2F Multi-Factor Authentication in Chrome
This issue was fixed in the 3.1.0 release of Kion. We now use the Web Authentication API instead of the U2F API. If you use U2F authentication, we strongly suggest upgrading to the latest release of Kion.
U2F (FIDO Universal Second Factor) is an optional multi-factor authentication method for the Kion internal directory. It enables using FIDO U2F authentication devices such as a Yubikey.
Chrome 95+ now displays a deprecation warning if you are using a web application, such as Kion, with U2F authentication via the U2F API. Starting with Chrome 98 (available for beta in January 2022 and generally available in February 2022), the U2F API will be disabled by default.
This does not impact you if you use U2F devices through a SAML 2.0 provider. This does not impact you if you use TOTP authentication (Google Authenticator, etc.) for the Kion internal directory.
This issue was fixed in the 3.1.0 release of Kion. If you do not upgrade to the latest release of Kion, you should not plan to upgrade to Chrome 98.
All Kion users using U2F for multi-factor authentication with the Kion internal directory will start receiving the following message in Chrome:
This site won't be able to use the U2F API after February 2022. If you own this site, you should change it to use the Web Authentication API.
Users must select Allow from the dialog to continue each time they access Kion. Selecting Blockdisables their two-factor authentication.
Until You are Able to Upgrade
If you are unable to upgrade to v3.1.0 or later, we suggest identifying impacted users and limiting the issue's impact on them as much as possible.
Identify Impacted Users
You can identify user accounts that currently have U2F enabled using a query against the database.
To query the database:
- Connect to one of your Kion app nodes.
- Access the root directory using sudo su -.
- Connect to the database using dbconnect.
Once you are at the mysql> prompt, enter:
select username,email from user where idms_id = 1 and id in (select distinct user_id from yubikey_app_user where deleted_at is null) and deleted_at is null;
You will see a list of users using U2F authentication and their email addresses.
- Any listed users are impacted by this issue. See the Limit User Impact section for details on what to do next.
- An empty result indicates that you have no affected users in your system. No further action is required.
Limit User Impact
Once you have identified which users in your system are impacted by this issue, we recommend:
- Notify your impacted users. Let the impacted users know that they should not update to the Chrome 98 beta in January.
- Follow this page. Click the Follow button at the top right of this page to ensure that you receive any additional information that we add.
If you are unable to update your environment but are impacted by this issue, consider these workarounds to limit user impact.
Implement the Google Enterprise Policy for Chrome
Google provides an enterprise policy for Chrome that can be applied to mitigate this issue in managed environments. For more information, see Google's article U2fSecurityKeyApiEnabled.
Temporarily switch to TOTP multi-factor authentication
The Kion internal directory supports TOTP authentication with applications like Google Authenticator and Microsoft Authenticator.
To enable TOTP multi-factor authentication:
- Login to Kion as an administrator.
- Navigate to Users > All Users.
- Filter the list of users by selecting Internal Directory for the IDMS in the filter bar.
- Click the ellipses menu next to an affected user and select Edit.
- Change Enforce MFA to TOTP.
- Click Update to apply the change. The user will be prompted to configure the new method of authentication upon login.
- Repeat this process for each affected user that you identified.
As an alternative to the Kion internal directory, you can implement SAML 2.0 using the provider of your choice. Kion has apps are available in the directories for many major SAML 2.0 provides including -formerly-cloudtamer-io/#overview">Okta, OneLogin, Auth0, and Azure Active Directory.
Some providers may still have Kion listed as cloudtamer.io. The integration still works.
For more information, see Add a SAML 2 IDMS.