Skip to content

Remove U2F#439

Merged
georgestephanis merged 10 commits intomasterfrom
remove/fido-u2f
Mar 1, 2026
Merged

Remove U2F#439
georgestephanis merged 10 commits intomasterfrom
remove/fido-u2f

Conversation

@georgestephanis
Copy link
Collaborator

@georgestephanis georgestephanis commented Apr 20, 2022

As discussed with @jeffpaul with its deprecation we should remove the provider.

@jeffpaul jeffpaul requested a review from kasparsd April 20, 2022 19:51
@jeffpaul jeffpaul added this to the 0.8.0 milestone Apr 20, 2022
@jeffpaul
Copy link
Member

jeffpaul commented Apr 20, 2022

@kasparsd note that this relates to #423 (comment) wherein the next step after removing U2F is the determining the best path forward from here (happy to hear your input there).

@georgestephanis
Copy link
Collaborator Author

georgestephanis commented Apr 21, 2022

So this handles the code change, my only uncertainty at this point is whether we should do something to handle the data / ux.

That being, if someone had U2F enabled, but no other providers, would its sudden absence disable 2fa on their account entirely, and is that a case in which we should force enable an alternative, such as emailed codes so there is still some second factor?

kasparsd
kasparsd reviewed Apr 21, 2022
View reviewed changes
@kasparsd
Copy link
Collaborator

kasparsd commented Apr 21, 2022

That being, if someone had U2F enabled, but no other providers, would its sudden absence disable 2fa on their account entirely, and is that a case in which we should force enable an alternative, such as emailed codes so there is still some second factor?

Yeah, this is a really important point!

Otherwise this looks good!

@georgestephanis
Copy link
Collaborator Author

georgestephanis commented Apr 22, 2022

@jeffpaul Do you have any thoughts on what the workflow should be if a user only has u2f enabled but no others?

@r-a-y r-a-y mentioned this pull request May 13, 2022
Closed
@dziudek
Copy link

dziudek commented May 20, 2022

Hi,

U2F will be removed in v.0.8 but it will be still possible to use physical keys with webauthn? #427

Also - when we can expect v.0.8 release?

@jeffpaul
Copy link
Member

jeffpaul commented Sep 9, 2022

@georgestephanis if a user only has U2F enabled and the plugin is updated to whatever version this removal will be part of (e.g. 0.8.0), then we could possibly go with one of the following:

  • Enable and set Primary on their Email method (this relies on them still having access to the email attached to their profile but at least keeps 2FA active for them)
  • Add a non-dismissable (until resolved) admin notice for affected users directing them to the 2FA portion of their profile to enable a new method (not a huge fan of adding another admin notice to what could be a lengthy list already, but this would be a more graceful yet less 2FA-secure approach)
  • something else I've yet to consider?

What are your thoughts on this?

@jeffpaul jeffpaul modified the milestones: 0.7.2, 0.8.0 Sep 12, 2022
@iandunn
Copy link
Member

iandunn commented Oct 14, 2022
edited
Loading

If we end up switching libraries in #427, then I think we could seamlessly migrate the existing U2F keys to the WebAuthn provider.

Update: @mcguffin started a PR for this in #491 🎉

This was referenced Oct 14, 2022
Open
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Nov 2, 2022
Closed
Closed
Closed
Closed
@github-actions
Copy link

github-actions bot commented Feb 18, 2026
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Unlinked Accounts

The following contributors have not linked their GitHub and WordPress.org accounts: @dziudek.

Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Unlinked contributors: dziudek.

Co-authored-by: georgestephanis <georgestephanis@git.wordpress.org>
Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>
Co-authored-by: kasparsd <kasparsd@git.wordpress.org>
Co-authored-by: ravinderk <ravinderk@git.wordpress.org>
Co-authored-by: jeffpaul <jeffpaul@git.wordpress.org>
Co-authored-by: iandunn <iandunn@git.wordpress.org>
Co-authored-by: TimothyBJacobs <timothyblynjacobs@git.wordpress.org>
Co-authored-by: dd32 <dd32@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@jeffpaul jeffpaul moved this to In review in Two Factor project board Feb 19, 2026
This was referenced Feb 22, 2026
Closed
Open
masteradhoc
masteradhoc approved these changes Feb 26, 2026
View reviewed changes
Copy link
Collaborator

@masteradhoc masteradhoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR @georgestephanis!
Can you check my small comments and commit them if its fine for you. the existing screenshots i already renamed so it will match my proposed commit.

Else PR looks good and can be merged. All noted U2F / Fido Texts were removed correctly and appropriate files removed.

georgestephanis and others added 2 commits February 26, 2026 09:50
@georgestephanis @masteradhoc
Update readme.txt
ac58bc7 
Co-authored-by: Brian <brian@brianhaas.li>
@georgestephanis @masteradhoc
Update readme.txt
1b38c51 
Co-authored-by: Brian <brian@brianhaas.li>
@georgestephanis georgestephanis dismissed ravinderk’s stale review February 26, 2026 14:51

Has been updated since and mitigated.

aslamdoctor added a commit to aslamdoctor/two-factor that referenced this pull request Mar 1, 2026
@aslamdoctor
Revert FIDO/U2F file changes per PR WordPress#818 review
19d592e 
FIDO/U2F files will be removed entirely in PR WordPress#439, so changes
to U2F.php and class-two-factor-fido-u2f-admin.php are unnecessary.
@georgestephanis
Copy link
Collaborator Author

georgestephanis commented Mar 1, 2026

#815 broke this from merging cleanly.

Lemme try to rebase.

@georgestephanis
Copy link
Collaborator Author

georgestephanis commented Mar 1, 2026

No more conflicts, I'd like to get this in before something else breaks it. @masteradhoc -- any objections to me just pulling the trigger once the tests clear?

@masteradhoc
Copy link
Collaborator

masteradhoc commented Mar 1, 2026

@georgestephanis Checks have successfully passed. all good from my side to get U2F out :)

@georgestephanis georgestephanis merged commit a778ec9 into master Mar 1, 2026
55 checks passed
@github-project-automation github-project-automation bot moved this from In review to Done in Two Factor project board Mar 1, 2026
@georgestephanis
Copy link
Collaborator Author

georgestephanis commented Mar 1, 2026

YEET

@georgestephanis georgestephanis deleted the remove/fido-u2f branch March 1, 2026 12:43
This was referenced Mar 1, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@masteradhoc masteradhoc masteradhoc approved these changes

@ravinderk ravinderk Awaiting requested review from ravinderk

@kasparsd kasparsd Awaiting requested review from kasparsd

Assignees

@georgestephanis georgestephanis

Labels

FIDO U2F

Projects

Two Factor project board
Status: Done

Milestone

0.16.0

Development

Successfully merging this pull request may close these issues.

9 participants

@georgestephanis @jeffpaul @kasparsd @dziudek @iandunn @TimothyBJacobs @dd32 @masteradhoc @ravinderk