Upgrade path question for future two-factor 0.8.0 #400
Comments
They should - my plugin does not alter those data. However, if there are WebAuthn keys added to my plugin, those keys won't be migrated.
No, unless two-factor provides a migration path. I can probably create an utility to migrate keys, but unless the PR is approved and merged, it is too early to talk about this: a lot of thing may change (some of the maintainers are unhappy about the choice of the WebAuthn library).
Probably yes. But again, we need to wait for the PR to be merged.
Unfortunately, I have no idea - I am not a maintainer of that plugin (and I don't know anyone of them). I work for WordPress VIP, and my plugin was an open-source attempt to help our customers using U2F to migrate to WebAuthn once Chrome drops the support for U2F.
You can continue to use wp-two-factor-provider-webauthn with two-factor 0.8. Two Factor's architecture is extendable and allows for creation of third party plugins (like mine).
I am not sure I can help with two-factor because I am not its maintainer. I wrote the plugin because I didn't have time to wait until the PR gets merged (it's been more than 1 year and it is unclear when it will be merged). I can help with migration of keys, but again, we will have to wait until something WebAuthn-related lands into two factor's core. |
|
This one might be a blocking issue for WebAuthn is two-factor (because one of the complaints was the lack of tests). If I am right, then the answer to your question is likely to be between "weeks" and "months". |
|
Thanks, I decided to go through with using wp-two-factor-provider-webauthn for now since it looks like merging the webauthn branch has been delayed longer. Let's hope, once it is merged, the migration path back to just wp-two-factor isn't too painful! |
Suppose I have a WP instance with two-factor 0.7.3 installed, and users have various keys registered with the legacy Chrome U2F API.
This doesn't work with browsers that have phased out U2F but support the modern webauthn API, of course, and wp-two-factor-provider-webauthn provides a migration path to allow the existing key registrations to be used through browsers with webauthn only.
However, it sounds like -- once the maintainers find enough round tuits -- two-factor 0.8.0 will likely support webauthn, judging by WordPress/two-factor#427, and automatic U2F->webauthn migration, judging by WordPress/two-factor#491.
If I install wp-two-factor-provider-webauthn because I need webauthn to work now, and I later upgrade two-factor to 0.8.0, what's the migration path? Can I just deinstall wp-two-factor-provider-webauthn at that point?
I realize none of this can be certain until two-factor 0.8.0 is ready, of course, but I'm hoping I can get a clear enough sense of what the plans are to formulate a plan myself about how best to proceed for a WP instance without risking locking everyone out -- whether to install wp-two-factor-provider-webauthn now and migrate back to two-factor 0.8.0 later, or whether to just wait for two-factor 0.8.0.
And, as an addendum:
The text was updated successfully, but these errors were encountered: