U2F Authentication with my own server

[niravzaveri]

Would it be possible that I can specify the U2F Registration/Authentication Server?
That way, I can integrate U2F Mechanism of this plugin with my common server.

This will be particularly helpful in achieving single sign-on mechanism.
This can also be helpful for people who manage more than one Wordpress sites.

[shield-9]

Short Answer is "No."

There are no plan to support it at the moment.
But you can create "child plugin" of this plugin. Or pull request is welcome!

[kasparsd]

@niravz Are you referring to something like https://github.com/Yubico/php-u2flib-server

You would need to create a custom second factor provider and replace validate_authentication() with something that makes REST call to validate the U2F response data from the token. Same with authentication_page() and the way it calls self::$u2f->getAuthenticateData( $keys );.

That kind of API approach seems to be vulnerable to a MITM attack where you only need to respond with {"touch": "\u0001", "counter": N} for the authentication to be considered successful.

[niravzaveri]

Thanks @shield-9
@kasparsd
Thanks for the update on how I could do it.
What if I just modify the current plugin - U2F Provider's validate_authentication() and do_register() functions - and let my WP server act as a middle-layer between my client browser and the external server?

That way, I wouldn't do any changes in the authentication_page() functionality - and thereby won't be opening up any vulnerabilities, right?

Thanks.

[iandunn]

U2F is deprecated and no longer works in Chrome, so the provider is being removed in #439 . Given that, there's probably no reason to keep this open anymore.

It seems like this feature is best left to an add-on plugin too.