Resolve "Switch to Web Authentication (Webauthn) for 2FA for U2F and FIDO2 tokens"
What does this MR do?
This MR introduces support for the FIDO2 / WebAuthn standard, which supersedes the old U2F (FIDO 1) standard GitLab is currently supporting for multi-factor authentication. WebAuthn works for more browser and with more devices.
Although U2F stored credentials are compatible with WebAuthn, this MR intends to gradually migrate (using a background migration) them to WebAuthn stored credentials, ultimately removing U2F completely from the code base. I currently don't know how long this background migration takes for a large production instance, but I'd suggest it is safe to completely remove the u2f_registrations
table and other U2F-fallback code in one of the next minor releases after this MR gets into production.
Please note: The background migration currently does only work in the specs, but not in "real life" (the migration gets scheduled but not executed - might be a problem with my setup). I might be able to fix this in the next few days, otherwise I'd suggest removing the background migration entirely for now, as this works fine without the migration.
This MR also comes along with "replacing" (almost) any occurrence of "U2F" with "WebAuthn" (UI, Docs, Code) to avoid any confusion.
Screenshots
Register / Login didn't change very much compared to U2F, so I'll only provide two selected screenshots:
Registration
Updated error screen
WebAuthn returns DOMException
instead of error codes as U2F did, so I've opted to display the names of these exceptions.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides
Database checklist
When adding migrations:
-
Updated db/schema.rb
- [-] Added a
down
method so the migration can be reverted -
Added the output of the migration(s) to the MR body
Migration output
== 20191112212815 CreateWebAuthnTable: migrating ==============================
-- create_table(:webauthn_registrations)
-> 0.3665s
-- add_column(:users, :webauthn_id, :string, {:limit=>86})
-> 0.0011s
== 20191112212815 CreateWebAuthnTable: migrated (0.3677s) =====================
== 20191114204551 ConvertU2fToWebauthn: migrating =============================
-- Scheduling ConvertU2fToWebauthn background migration jobs
== 20191114204551 ConvertU2fToWebauthn: migrated (0.0290s) ====================
-
Added tests for the migration in spec/migrations
if necessary (e.g. when migrating data) -
Added rollback procedure. Include either a rollback procedure or description how to rollback changes
When adding tables:
-
Ordered columns based on the Ordering Table Columns guidelines -
Added foreign keys to any columns pointing to data in other tables -
Added indexes for fields that are used in statements such as WHERE
,ORDER BY
,GROUP BY
, andJOIN
s
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Tested under Ubuntu (Firefox, Chrome), Win10 (Firefox, Chrome, Edge, IE11), Mac OS (Safari) and Android (Chrome) with a security key (YubiKey) and fingerprint sensor (Android).
Closes #22506 (closed) and several other U2F-related issues (such as #24068 (closed), #35109 (closed), #33269 (closed), #25842 (closed))