U2F Multi-Factor Authentication in Chrome

Follow

U2F Multi-Factor Authentication in Chrome

U2F (FIDO Universal Second Factor) is an optional multi-factor authentication method for the Kion internal directory. It enables using FIDO U2F authentication devices such as a Yubikey.

Chrome 95+ now displays a deprecation warning if you are using a web application, such as Kion, with U2F authentication via the U2F API. Starting with Chrome 98 (available for beta in January 2022 and generally available in February 2022), the U2F API will be disabled by default.

This does not impact you if you use U2F devices through a SAML 2.0 provider. This does not impact you if you use TOTP authentication (Google Authenticator, etc.) for the Kion internal directory.

There will be a Kion update before the general release in February 2022 that will address this problem. You should not plan to upgrade to Chrome 98 when the beta is released in January 2022.

User Experience

All Kion users using U2F for multi-factor authentication with the Kion internal directory will start receiving the following message in Chrome:

This site won't be able to use the U2F API after February 2022. If you own this site, you should change it to use the Web Authentication API.

Users must select Allow from the dialog to continue each time they access Kion. Selecting Block disables their two-factor authentication.

Until the Update is Released

An update to Kion that addresses the use of the U2F API will be released shortly. We anticipate releasing this update late December 2021/early January 2022. This fix will be in a Kion 3.X release. While we are working on this release, we suggest identifying impacted users and limiting the issue's impact on them as much as possible.

Identify Impacted Users

You can identify user accounts that currently have U2F enabled using a query against the database.

To query the database:

  1. Connect to one of your Kion app nodes.
  2. Access the root directory using sudo su -.
  3. Connect to the database using dbconnect.
  4. Once you are at the mysql> prompt, enter:
    
          select username,email from user where idms_id = 1 and id in (select distinct
          user_id from yubikey_app_user where deleted_at is null) and deleted_at
          is null;
  5. You will see a list of users using U2F authentication and their email addresses.
    • Any listed users are impacted by this issue. See the Limit User Impact section for details on what to do next.
    • An empty result indicates that you have no affected users in your system. No further action is required.

Limit User Impact

Once you have identified which users in your system are impacted by this issue, we recommend:

  • Notify your impacted users. Let the impacted users know that they should not update to the Chrome 98 beta in January.
  • Follow this page. Click the Follow button at the top right of this page to ensure that you receive the most up-to-date information about upgrading to the upcoming release.

Alternate Paths

If you are unable to update your environment but are impacted by this issue, consider these workarounds to limit user impact.

ClosedImplement the Google Enterprise Policy for Chrome

ClosedTemporarily switch to TOTP multi-factor authentication

ClosedImplement SAML 2.0 with 2FA

 

Was this article helpful?
0 out of 0 found this helpful