With advancement often comes change. Some changes are exciting, like providing new features and broader support, while other changes can be a minimal bump in the road or, in extreme cases, cause adverse effects on end users. With Yubico’s commitment to keeping our customers updated on the latest in changes to security protocols, we wanted to be sure you are aware that Chrome has deprecated the Universal 2nd Factor (U2F) API, and will be removing it entirely with the Chrome v. 98 update in February 2022.
If your organization is currently utilizing U2F in your product or web-based service, with some planning and simple code updates, you’ll continue to be able to provide user continuity and get your services switched to the WebAuthn API in Chrome, all while maintaining compatibility with existing YubiKeys. If you’re impacted by this change, and want to learn more, read below for details on how to mitigate this issue. Additionally, please register for our February 22nd webinar where we will dive deep into this topic in an interactive WebAuthn session.
What does this mean, and how will it affect my users?
The important aspect to note is that U2F means two things in Chrome: it is an authentication protocol as well as an API. The forthcoming update means only the U2F API is being deprecated and that authentication with the U2F protocol will continue to be supported with the WebAuthn API.
The original way of implementing U2F with Chrome was through the U2F API. Since that time, the WebAuthn protocol has been adopted. These two protocols might not look related, but U2F is the precursor to WebAuthn. The WebAuthn spec was designed with backward compatibility in mind so that U2F will work with WebAuthn.
The U2F API depreciation means that services will need to migrate to the WebAuthn API to continue supporting phishing-resistant, multi-factor authentication (MFA) with the YubiKey on their services. Furthermore, adopting the WebAuthn API will increase the number of places that a user can utilize their YubiKey as it is supported by other major browsers such as Safari and Edge.
In November 2021, with Chrome version 95, users on services that implemented the Chrome U2F API began seeing a warning that the service they are using is using the U2F API that is being deprecated by Chrome.
This could be a little alarming for your user community as it will be shown during the authentication process and instruct them to contact the service provider to make the changes.
When is the update happening?
The U2F API will be fully deprecated and removed with Chrome v. 98, which is scheduled for release this month (February 2022). At that time, the U2F API will stop working, however there are options for time extensions which we have listed below
If unaddressed, this change will cause different errors for the end user depending on how errors are being handled by the service and the end user will be prevented from authenticating to the service using their U2F devices.
For more details, Google has outlined the Chrome versions and timeline here.
How do I migrate?
As mentioned previously, the WebAuthn API is backward compatible with U2F credentials. To migrate, there are a few steps that service owners need to take to ensure their users can continue to use existing U2F credentials.
The key changes on client side are to change the U2F API register method to call the WebAuthn API navigator.credentials.create() method. The U2F API sign method will need to be updated to call the WebAuthn API navigator.credentials.get() method.
Changes to the backend service or replying party (RP) may be needed as well depending upon how U2F was implemented.
Please review the Yubico documentation regarding moving from U2F to WebAuthn for more details. This documentation is written for the Yubico open source WebAuthn server, so please keep in mind that your implementation may be different.
What if I need more time?
If you need more time to migrate, there are a few ways of getting an extension for your service to continue using the U2F API until July 2022 through Google. Options are to enroll in the deprecation trial or be an enterprise that has turned on U2fSecurityKeyApiEnabled.
To learn more about Google Chrome U2F decommission and what’s coming up next in the world of WebAuthn, be sure to sign-up for our upcoming webinar here.