FYI: Okta breaking change u2f to webauthn

[marshallbrekka]

Figured I would file this as just an impending FYI.

Okta just transitioned our org from U2F factors to FIDO2 (WebAuthN).
This means that all our code that was looking for u2f factors suddenly broke.

I'm not sure if that change was specific to our org, or Okta wide.

For reference this is our internal change that does the bare minimum to mitigate the issue. It probably does not properly implement true webauthn, but you can use it as a guide for a U2F to WebAuthN migration path.

https://github.com/wearefair/okta-auth/pull/8/files

[nijave]

We're seeing this issue as well

[nickatsegment]

Oof, that's rough.

We don't use u2f/webauthn Okta internally at Segment (trust me, I'd like to), so we're relying on the community for a fix here.

[dhess]

Yes, I noticed that when I asked Okta to enable the WebAuthn early access feature on my org's account, the U2F factor in MFA enrollment was replaced by a WebAuthn factor; i.e., it appears that you can enable either U2F or WebAuthn, but not both.

[alsmola]

I've been working on supporting webauthn in https://github.com/Versent/saml2aws and I have an untested branch that could work for aws-okta:

https://github.com/alsmola/aws-okta/pull/1/files

I made some modifications to go-u2fhost that I'm asking to be merged, but in the meantime this change uses my fork.

If someone can test and confirm this branch with aws-okta, I'm happy to hand it over.