Can we use this to migrate existing U2F keys? about wax HOT 7 OPEN

Maybe you've got more info here: https://www.stackallocated.com/blog/2019/u2f-to-webauthn/#pitfalls and the following section.

Not much time to work on it this week, so let me know if you can generate a valid response that I can include in tests as a starting point.

from wax.

Existing keys remain valid but the appid extension has to be supported, which is not currently the case in Wax. Doesn't seem to be very complicated to do, but can't guarantee it isn't and I'd like to implement a framework for extension as a whole.

Is it related to an incoming U2F Chrome deprecation or something?

from wax.

I see, I though that would be the case.

Is it related to an incoming U2F Chrome deprecation or something?

Yes, I was trying to migrate existing user keys seamlessly, but I think I will probably skip that for now then.

Looking forward for the extension framework and thanks for the quick reply!

from wax.

If I understood correctly, U2F is deprecated since Chrome 95 and will be disable in the coming weeks (or months?) in Chrome 98, right?

It doesn't look like a complicated feature to implement, but I'm trying to asses the urgency and the impact.

from wax.

Yes, it will be disabled next month, not sure about the impact in the beginning of February. When using a hardware key some people receive a prompt asking if they want to allow it with the following warning (translated from original language):

"This site will not be able to use U2F API after February 2022. If this site is yours you should update it to use Web Authentication API"

When looking into this post with a timeline we get (though not sure about how accurate it is):

M98 | February 2022 | Disable the U2F API by default; but keep it available to sites on the Deprecation Trial

I'm not sure what the "Deprecation Trial" means, maybe some simple warning or maybe an extra security step/warning, e.g. when a site is using a self-signed certificate.

from wax.

Anyway, I'd need a test case for this, so if you can provide me with a authentication response using appid that'd help a lot.

from wax.

I would, but to be honest I was not able to generate one, I just did an initial try by generating a challenge with this library (which is probably wrong and should do it with the old one), and used the key_handle from u2f for the id in the allowCredentials, but somehow it always failed.

I have to say that this was entirely exploratory and I don't understand all the details of the standard, so there might have also been some simple errors from my part, even in converting data between representations. If you have a suggestion for me to generate one I can give it a go.

I did find some references in ruby that could be useful if I were to try and actually do it myself and which could help in this situation like:

1. Demo that goes from U2F to WebAuthn - link
2. Migration guide - link

from wax.