kryptco / kr-u2f Goto Github PK

Would love it if I could toggle Krypton on and off from the browser-action icon for when I need to use my physical key to login and add Krypton. It's a bit of a hassle to go and disable and then re-enable the extension each time.

The problem with 2FA is that you will need a desktop browser when switching this on.
You can't access Facebook, Google, Github etc. any longer with a Smartphone/Tablet Browser because there exists no AddOns.
Where is the mobile first approach...

Iframes aren't injected with the krypton javascript.

Use case: I use Bitwarden as password manager, and it uses an iframe (https://vault.bitwarden.com/u2f-connector.html?data=...) in their extension to load an page that triggers the u2f-key.
Opening that iframe in a seperate window injects the javascript, and krypton works.

Add support for 1password
https://blog.1password.com/introducing-support-for-u2f-security-keys/

Hello! It seems when trying to register my Krypton "security key" with Google, it just replies "Remove your security key and try again."

Any insight on what happened?

They will give out a code e.g.

account name: user@domain
secret key: lkajshdflkajhsd5

As said in the title, the Android Krypton app only recognises the QR code when the following code is changed:

into something like this:

async render() {
  let payload = await stringify(this);
  return qr.imageSync(payload, { type: 'svg', ec_level: 'L' });
}

The above generates a similar JSON object as the kr CLI utility does instead of kr-u2f's base64 URL string.

The app just doesn't scan the QR code if it's left to the default URL format string.
I don't know if a patch is intended for the Krypton Android app or not, but yeah.

The app also pairs, but the extension doesn't seem to notice. On further investigation though (by inspecting the popup window), the following error is thrown: onMessage: krypton out of date

Versions are as follows:
Krypton Android: 2.4.5 (latest at time of writing)
Krypton U2F: 2.4.4 (krpairing.ts) (latest at time of writing) (1.0.3 manifest.json)
Chrome: Version 67.0.3396.99 (Official Build) (64-bit) (latest at time of writing)

Krypton Authenticator 1.0.16 in Firefox 68.0.1 (64-bit) on Windows 10 1903 will not move past the Windows Security dialog.
Please see linked screenshot for example:
https://drive.google.com/file/d/1d_siWhVErmFXa3WOytsBFkZXtNvU5yG3/view?usp=sharing
Any assistance is greatly appreciated.
Thanks.

I wanted to test if logins would work cross-browser, and also on browsers paired after the U2F token was registered. I attempted to register my phone as a U2F device on my github account with Firefox, and I was able to do so and then log-in with it, but when I then paired a chromium based browser and tried to log in I was never prompted on my phone.

There seems to be some funkiness around WebAuthn. Currently, I'm testing against https://webauthn.io

Registration:
Registration succeeds, but the browser provided pop-up never goes away. On the client side javascript, the registration callback is successfully being called.

Authentication/Login:
The Login prompt automatically assumes TPM mode, but maybe that's because I've previously authenticated with it. In this case, it seems to be impossible to revert back to cross-platform/USB key mode.

Details:
Extension Version: 1.0.17
Chrome Version: 73.0.3683.103 (64-bit OSX)
Website: https://webauthn.io

Updating to the latest safari breaks krypton. the safari extension is not approved therefore can no longer use it

Could you use this polyfill while we wait for Apple to implement U2F on Safari for mac OS? This would shorten the time needed to Have Krypton working on Safari.
We're willing to work on this one if you guys would accept a PR later.

Hello. The Safari extension is not recognized by any site I visit. It also appears the version in the Extensions Gallery is rather old: v1.0.8. I see the v1.0.9 release notes say "Finish Safari extension", so, perhaps this is the issue?

Is there a newer version I can download and try?

Since a few days I've been unable to log in using Firefox (https://twitter.com/magthe/status/1282555307919585281?s=20).

Computer

OS: Linux (ArchLinux, 5.7.8-arch1-1)
Browser: Firefox 78.0.2 (64-bit) (I've tried 78.0 and 78.0.1 too)
Add-on version: 1.0.18

Mobile

Android: 10
Make and model: Mi A2
App version: 2.5.5

Behaviour

When trying to log in the phone app says I'm logged in but the site never moves past the login page.

I see the following in the browsers console:

wrap failed with error: EvalError: call to eval() blocked by CSP content_script.js:14166:17
    injectU2fInterface moz-extension://afa8a50f-8845-4db0-9c46-6ee4fd7c0dfa/js/content_script.js:14166
    679 moz-extension://afa8a50f-8845-4db0-9c46-6ee4fd7c0dfa/js/content_script.js:13877
    __webpack_require__ moz-extension://afa8a50f-8845-4db0-9c46-6ee4fd7c0dfa/js/content_script.js:20
    <anonymous> moz-extension://afa8a50f-8845-4db0-9c46-6ee4fd7c0dfa/js/content_script.js:63
    <anonymous> moz-extension://afa8a50f-8845-4db0-9c46-6ee4fd7c0dfa/js/content_script.js:66
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").

I snooped around in the CSS for the background page using the dev tools, couldn't find any font-family rules. It seems to just use the default serif font. Should be a simple fix.

I've been successfully using Krypton for over a year, but one thing I've noticed is that it almost never works the first time. eg I go to log into a webauthn site, the site asks me to "click the token" and I stare at my phone waiting for Krypton to trigger... and I wait... and I wait... and nothing happens. I then cancel the webauthn process in the browser, then try again - and it almost always works the second time

I suspect this is something to do with your use of AWS SQS? The queuing is maybe a bit "best effort"?

I see this on both Firefox and Chrome - so I don't think it's browser-related, and obviously I don't ever see this issue if I use a USB-based webauthn key

I'm having the problem with testing an app on localhost, but i suspect the same problem will happen on a production URL as well. So per specs the rp.id should not have ports specified. When I have it set to localhost I dont get any authorization request on my phone and I get the following error in console

ERROR Error: Uncaught (in promise): NotAllowedError: The operation either timed out or was not allowed. See: https://w3c.github.io/webauthn/#sec-assertion-privacy.

And in the stack trace we have:

652.__awaiter | @ | inject_webauthn.js:2837
-- | -- | --
  | create | @ | inject_webauthn.js:2896

Yet if I set to locahost:44368 I get an authorization request, but the native browser extension fails with the following error

ERROR Error: Uncaught (in promise): SecurityError: The relying party ID 'localhost:44368' is not a registrable domain suffix of, nor equal to 'https://localhost:44368'.

So the whole cred creation fails.

Krypton should strip down ports from the URL when sending auth request.

Hi! Can this great app be enhanced with a decryption feature for server-side traffic, decrypted for example with PHP openssl_encrypt?

Over the past day or so, I've tried to set up Krypton with Twitter from both Chrome and Firefox on Linux about a dozen times. I can't make it go. :/

The Krypton app on iOS believes that setup works ok. In Chrome, I don't get any indicator that something happened. In Firefox, Twitter's auth dialog says " Invalid response, try again "

Is there anything I can do to give you more information to help fix this issue?

According to the extension:

GitHub is secured. But in reality, when I attempted to set up U2F on GitHub, I was blocked because one of my organizations requires 2FA (here's what I'm shown after telling the extension to set up GitHub):

It might be worth adding additional checks to make sure that it succeeded, but it's not a big deal. It still tries to set up GitHub when I click on it so it may not be a dangerous state.

Is there something Krypon can do something with?

Given the risks of losing a single device whether it be through theft, damage etc it makes sense to have a backup to login. Would make things easier if the extension allowed for multiple phones to be paired and switch between them. Maybe by having a primary device and allowing manual switch when needed.

At the moment I believe the workaround would be to unpair the main device and re-pair the backup, add the backup device to a website, then unpair the backup and re-pair the main device.

I've noticed that on a custom install of Gitlab, and presumably Gitlab itself, the U2F device is not recognised on first page load. If I press command-option-R, on refresh the "setup U2F device" will appear. The same issue occurs on login. A hard refresh seems to be the workaround.

Could this be an issue with the order the javascript is executed in? Running on Safari 12 on MacOS Mojave, krypt.co version 1.0.8

With the Firefox extension version v1.0.11 installed on Firefox 62.0.3 on Linux, some elements on https://pleroma.site become the green Krypton color. This happens with a fresh Firefox profile. It does not happen with the Chrome extension.
Without Krypton:

With Krypton:

Node and npm ecosystem is plaghed with malware. It is inacceptible for such a security-critical app to depend on it.

Now that the extension gallery is being deprecated and will be removed (next release?) are you also going publish the extension in the App Store?

Uso o Linux mint Xfce ultima versão e consigo parear meu celular normalmente com Chrome e firefox, mas no windows 10 versao Ltsc, simplesmente não consigo fazer o pareamento. Escaneio o QR CODE e não acontece nada apenas fica tentando fazer o pareamento!!!!

Safari Technology Preview has native support for U2F. It would be great if the Krypton extension could work with this version. Going to the extensions gallery page doesn't show an "install" button.

• Safari Technology Preview downloads
• Krypton Authenticator extension

Anytime I add a GitHub U2F entry, it's listed as github.com with no icon, and I still have the "Fix" link for GitHub.

It keeps saying
URL address not supported. Please try again with a valid twitter.com URL.
while add a key or logging

Hi,

Right now i'm in the awkward position where a site DID allow me to set a security key.
Krypton did pop up to confirm the "registration" if you will.

The trouble comes when you want to login.
And... the login keeps asking for a (yubi)key and doesn't trigger krypton.
This happens on a few sites and is a major pain in the *** to get back into working order.
As there you have the situation where, for the registration, krypton popped up. But to login it doesn't.

So, just a fair warning. I've been bitten by this a couple times now.
Be extremely careful when using krypton!

I think it's a failure on Krypton's end to not catch those cases correctly. Even though you can argue that the login mechanism on those sites (binance.com is one such example) are just poorly done. But they work if you have a yubikey. Which, to be frank, is the correct way for them to support.

Don't get me wrong though. It's super awesome to use, for example, webauthn.io and see it work with krypton :)

Cheers,
Mark

The website advertises support for Okta (or Okta support for u2f). I tried to set it up, but the only u2f option there is related to using yubikey.

I thought - whatever, I'll try anyway, but then I get a form requesting me to type some pin or keycode, which I have no idea how to generate with the Firefox addon or Krypton app.

I set AWS integration before with the same software stack, so it seems that the problem is somewhere else.

Also tried with Chrome with the same result.

Amazon finally added U2F support for IAM users, but it looks like something about their implementation is incompatible with Krypton currently – when I try to add the a Krypton key, iOS app says it's registered successfully and Amazon says.

Unexpected error
An unexpected error occurred.
Attestation Certificate is not valid.

This is Chromium 69.0.3497.100 on Linux, let me know if you need any other system details.

(I did successfully enroll a Yubikey on the same browser & account, fwiw.)

for example: this url https://api.openstreetmap.org/api/0.6/way/406567335/history returns content-type: text/xml; charset=utf-8 and the result in chrome70 looks like:

I've started using kr-u2f on my home desktop, but upon attempting to use the extension on my work laptop, I can't login using my existing key, or register a new key. I am forced to used an alternate 2-factor authentication method, which for now, are codes produced by Google Authenticator, and prompts on my phone.

I was able to register my phone as an additional U2F device on my github account where I already have a couple of Yubikeys registered, but when the extension is enabled I am unable to use the none of the Yubikeys are usable, only the phone app. Disabling the extension made the Yubikey's usable again.

I keep seeing this in my console every time I visit a page.

Uncaught TypeError: Cannot read property 'create' of undefined
    at inject_webauthn.js:2850
    at Object.652 (inject_webauthn.js:2932)
    at __webpack_require__ (inject_webauthn.js:20)
    at inject_webauthn.js:63
    at inject_webauthn.js:66

Everytime I try to add Sentry U2F I get "Error adding U2F (Universal 2nd Factor) authenticator" on their site and does not actually go through. And in the console I get POST https://sentry.io/api/0/users/me/authenticators/u2f/enroll/ 500 (INTERNAL SERVER ERROR).

On the Krypton end it looks to register but without the icon. Example

edit: My original comment was wrong, see #29 (comment)

I tried to use krypton as a u2f key on a site but it kept rejected it. I eventually realised that it's because the site requires token binding (see https://fidoalliance.org/fido-technote-the-growing-role-of-token-binding/)

It seems krypton doesn't support this yet, is it on the roadmap?

Would it be possible to publish the Chrome Extension to the new Edge extension store? (The new Edge uses Chromium)

I'm trying to pair the new Mac desktop app with my Android phone.
The phone is a Xiaomi Mi Mix 2, running Android 9, app version 2.5.5. The Mac is on 10.14.6 (unsupported), app version 1.1.
On the Android side things seem ok, with the device appearing paired but on the Mac side I'm consistently getting this notification:

Pairing Failed
Could not complete pairing process.
Missing dictionary key: public_key_wire

Deleting and reinstalling, rebooting, removing all app related files with AppCleaner don't help.
Firefox pairing works correctly.
The attached file are the relevant errors (I think) from system log.
krypton-error.log

Hi,

When i try to enroll for twitter it's recognized as a security key and krypton ios authorize it but then twitter needs a manual trigger to complete the registration.

How to trigger it manually ? i have no other choice to cancel the registration because there is no manual trigger from the extension...

Thx

Trying to add a security key to my OVH.com account in Chrome with the extension installed shows a Can not find your security key error.

Per title, attempting to do so displays a pop up asking me to use Chrome.

Automated code review security scan

Displaying 15 alerts, ordered by significance.
0 Errors
8 Warnings
7 Recommendations

Tags : security external/cwe/cwe-754
Tags : correctness external/cwe/cwe-571
..

For the complete list and details look at the report at
https://lgtm.com/projects/g/kryptco/kr-u2f/alerts/?mode=list

Suggest to fix.

Thanks for your excellent work!

I generally know my way around things, but here either the UI is terrible or I'm missing something big as I cannot seem to find how to add just about any website to Krypton.
I'm using the extension on Firefox and it is paired with my Android phone.
Upon configuring 2FA on any service supported by Krypton, there is no way to either scan the QR Code from the website in the Krypton app or enter the key anywhere.

I genuinely think that the UI should be improved as this makes it impossible for anyone to figure it out.

I installed the chrome extension and scanned it with the android app. The android app said that it paired but the chrome extension still shows the QR code. I then tried the firefox extension, with the same result.

I'm using the latest versions from the respective app stores and am not behind a proxy.

Android app is v2.5.4.

I recently switched from chrome to firefox and in the AWS console, there are several screens that fail to load when the extension is enabled.

This message appears in the browser console (url: https://console.aws.amazon.com/rds/home?region=us-east-1# )

TypeError: cannot declare global binding `u2f': property must be configurable or both writable and enumerable home:1:1
<anonymous> rds-40.js:1:1 rds/rds.__installRunAsyncCode
https://dado4e41kbenk.cloudfront.net/fb5ab38edbb6807d6e20c2a5de2c290a97c4370f/rds/rds.nocache.js:11:163
__gwtInstallCode https://console.aws.amazon.com/rds/home#:1:526
o7j https://console.aws.amazon.com/rds/home#:57:31
M7j https://console.aws.amazon.com/rds/home#:245:39
<anonymous> https://console.aws.amazon.com/rds/home#:130:64
_6j https://console.aws.amazon.com/rds/home#:189:28
c7j https://console.aws.amazon.com/rds/home#:20:60
b7j/< https://console.aws.amazon.com/rds/home#:146:48
<anonymous> https://dado4e41kbenk.cloudfront.net/fb5ab38edbb6807d6e20c2a5de2c290a97c4370f/rds/deferredjs/5F178518CC64B37ED525028D41CE5E33/40.cache.js:1:1

Disabling the extension fixes the error. I'm not using u2f with AWS at the moment.

At least not working consistently on Firefox and Safari. Luckily Chrome worked first time.

Chrome and Firefox now use the Windows web authentication API on Windows 10 build 1903 rather than talking to U2F devices directly. This allows the user to use platform keys (e.g Windows Hello), CTAP2 or U2F keys.

This causes funny behavior when using Krypton. The requests are received by the app but Windows simultaneously shows a dialog prompting the user to insert their key or enter their pin which stays open even after the user has accepted the prompt on the app. The web authentication api is unaware of krypton intercepting the requests.

This could be solved if krypton acted as a CTAP2 credential provider rather than a browser extension that intercepts the U2F requests.