Add support for MFA login using security keys

Question

Add support for MFA login using security keys

dailyherold opened this issue a year ago · 4 comments

Add support for Proton Mail's MFA login using U2F/FIDO2 security keys.

Currently, if a security key is added to MFA settings for Proton Mail, when logging into You Have Mail the following error message is returned:

Network request failed

From Proton Mail's security event log, you will see the following:

Sign in success (awaiting second factor)

I confirmed removing the security key, and leaving Authenticator app, let me login via You Have Mail per the recommendation in #12 (comment).

For users with both Authenticator app and security key enabled, it would be nice if there was a way to specify MFA preference per client in Proton settings. Or if there was a way via login API to fallback "to the next" MFA method when called from You Have Mail.

Answer 1 · 2023-06-09T06:04:05.000Z

Hey @dailyherold thanks again for digging into this.

Based on your investigations, there seems to be an error in parsing the response when there is a U2F/FIDO2 security device present. There is an error message for when the 2FA method is not supported, but it's currently superseded by this parsing error.

Unfortunately I am not in possession of such a U2F/FIDO2 device. I can only acquire one next month. After the parsing error has been addressed I can definitely fallback to TOTP if both are present.

I do however, need some assistance. Do you think you (or other interested parties reading this) could verify something for me?

In the proton web email client, could you use the developer tools to inspect the response made during one of the authentication request? In particular, a post to auth/v4. If you could post the resulting JSON with all the data stripped out and the field types (see example below), I could at least resolve the current problem.

{
   "Field1": // Array of numbers
   "Filed2 : // string
}

Finally there should be the following field in the resulting JSON response:

{
   "2FA": {
      "Enabled": <INTEGER>
    }
}

Could you let me know what this value is as well?

Answer 2 · 2023-06-28T06:26:52.000Z

Fixed in v0.10.1

Answer 3 · 2023-06-29T13:19:15.000Z

Sorry I didn't help out, missed initial comment email and was traveling this month. Awesome you seemed to have made some improvements! I'll test it this week.

Answer 4 · 2023-06-29T20:09:22.000Z

No worries, thanks in any case :)