Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No attempt to use U2F Security Key #202

Open
Nuru opened this issue Oct 15, 2020 · 7 comments · Fixed by #203
Open

No attempt to use U2F Security Key #202

Nuru opened this issue Oct 15, 2020 · 7 comments · Fixed by #203

Comments

@Nuru
Copy link
Contributor

Nuru commented Oct 15, 2020

I have a YubiKey U2F security key as my default MFA. aws-google-auth used to immediately use it when I logged in, but now it does not use it and instead prompts me to use a different MFA method.

This appears to be caused by a change with Google's pages, but I do not fully understand how the U2F integration works. I can say when I look at the MFA challenge selector page given to aws-google-auth it says that the security key is "not supported on this device or browser".

Update 1

On further investigation, it looks like U2F integration is switching to a JavaScript implementation. It may not be possible to support U2F without running JavaScript.

@chrisjaimon2012
Copy link

So no more U2F support in aws-google-auth?
Or does #203 fix the issue with the U2F integration?

@Nuru
Copy link
Contributor Author

Nuru commented Oct 19, 2020

@chrisjaimon2012 #203 restores operation of SMS and TOTP 2FA, but not U2F. I did not write the previous U2F integration and am not quite sure how it worked, so maybe someone else can fix it. As far as I can tell, Google is switching to a JavaScript UI that is going to require something like Selenium to make U2F integration work, but I could be wrong.

Personally I am leaning towards using aws-saml-capture-extension plus a shell script like this on the Mac:

#!/usr/bin/env bash

aws-google-auth -k -p $0 --saml-assertion $(pbpaste)

I would prefer someone fix aws-google-auth, but until then, this works better than the alternatives because, by using my real browser to log in, I have a reliable tool, I do not get asked for CAPTCHA or even 2FA that often, and since aws-google-auth both caches the SAML assertion (which is valid for 5 minutes) and modifies rather than overwrites ~/.aws/credentials, I can follow up the above with additional aws-google-auth commands to get credentials for other profiles and log into multiple accounts at once.

@andreaso
Copy link

Another fallback option is to do something based on the https://g.co/sc one-time security codes.

I have an initial support for that implemented in my https://github.com/andreaso/aws-google-auth/tree/wip/skotp-support branch, which builds on top of the #203 branch.

@forsberg
Copy link

Hmm.. I don't really think this one was closed by #203? @stevemac007?

@stevemac007 stevemac007 reopened this Jan 28, 2021
@stevemac007
Copy link
Contributor

Looks like you are correct - this is back to the fact I don't have a device to test this with.

@andreaso
Copy link

@stevemac007: If you would like a Yubikey we can ship you one free of charge.

Parent5446 added a commit to Parent5446/aws-google-auth that referenced this issue Mar 27, 2021
This fixes a small issue from 77e7544 (cevoaustralia#206) where the code for
handling the dual-prompt page was added, but the support for it
wasn't added in the challenge-selection stage. This adds the `elif`
clause neeeded to parse the dual prompt method.

(Tested against 0.0.37 and login works successfully after this
commit is applied.)

Fixes cevoaustralia#202
@cmfcruz
Copy link

cmfcruz commented Apr 19, 2021

Hi, any chance that volkangurel's PR can get merged soon? I can confirm that this works as a good alternative for Yubikey users.

The user is asked to visit https://g.co/sc which gives them a one-time security code after verifying their Yubikey.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants