U2F Keys broken with WordPress 6.2

[openaiken]

Describe the bug

When I first installed this plugin, I was running 6.1 and the plugin version was 0.7.3. It worked perfectly then. Since then, my WordPress automatically updated to 6.2, and two-factor updated twice -- from 0.7.3 to 0.8.0, and then from 0.8.0 to 0.8.1.

When logging into an account that default's to U2F for the 2nd factor, the page loads directing the user to insert and press the key, but there is no longer a prompt for the key.

Alternate login methods still work if enabled for the user.

I bypassed the issue by logging into the backend, removing /public_html/wp-content/plugins/two-factor, logging in with just 1 factor, installing+activating the plugin again, and then editing both of my user accounts to have TOTP codes enabled as a backup. The behavior persists, but the backup option works so I'm good to go. Can't say the same for a user that posted ~3 days ago on the Wordpress.com forum.

Steps to Reproduce

1. WordPress 6.2
2. two-factor 0.8.1
3. enable U2F keys for a user
4. log out and test logging into that user

Screenshots, screen recording, code snippet

No response

Environment information

WP 6.2, using just the default Twenty Twenty-Three theme. I'm running WP in an Ubuntu sandbox via Virtualmin. I am running the most recent versions of Firefox and open-source Chromium on Manjaro (arch-based, stable branch) Linux, with Gnome.

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes

[openaiken]

To clarify... I recognize that the plugin is not tested with 6.2. I am simply reporting that this particular feature seems to have been broken, as I did not see a similar report on the wp forum or on this project's issues.

The other plugins I have activated are just ActivityPub and NodeInfo, nothing else. Hope this helps!

Thank you so much for making this plugin to begin with.

[iandunn]

Are you using U2F on any other sites? IIRC all the major browsers have already disabled it, so it won't work anywhere. We're updating the plugin to migrate to WebAuthn in #423 / #427, but it's not ready yet.

You could install https://wordpress.org/plugins/two-factor-provider-webauthn/ in the meantime, and your existing keys should still work.

Let me know if that's not the problem, though.

[openaiken]

@iandunn you know what, I used "U2F" flippantly because that's what it read in the User Settings, but your comment made me realize that we're talking about FIDO/U2F versus FIDO2/WebAuthn, and that might be the difference.

Thanks for showing me the issues where you are upgrading. I will happily wait until y'all feel that it is ready.

[iandunn]

Sounds good, thanks! 👍🏻

[guyru]

If you're using firefox, you can still enable U2F by going to about:config and setting security.webauth.u2f to true

[openaiken]

If you're using firefox, you can still enable U2F by going to about:config and setting security.webauth.u2f to true

thank you for this! I didn't know it was toggleable, this is a great workaround for now.

[guyru]

The security.webauth.u2f workaround for Firefox seems to have stopped working :-(.

[openaiken]

The security.webauth.u2f workaround for Firefox seems to have stopped working :-(.

Shot/chaser. Hate to see it :/ lol