Disable U2F Interface unless already configured.

class-two-factor-core.php

@@ -1719,6 +1719,27 @@ public static function user_two_factor_options( $user ) {
 			$show_2fa_options ? '' : 'disabled="disabled"'
 		);
 
+		$providers = self::get_providers();
+
+		// Disable U2F unless already configured.
+		if ( isset( $providers['Two_Factor_FIDO_U2F'] ) ) {
+			$disabled = ! $providers['Two_Factor_FIDO_U2F']->is_available_for_user( $user );
+
+			/**
+			 * Filter whether the deprecated U2F provider is available.
+			 *
+			 * The U2F provider does not support modern browsers, and it being enabled causes confusion.
+			 *
+			 * @param bool    $disabled Whether the provider is disabled for this user.
+			 * @param WP_User $user     The user being displayed.
+			 */
+			$disabled = apply_filters( 'two_factor_u2f_disabled', $disabled, $user );
+
+			if ( $disabled ) {
+				unset( $providers['Two_Factor_FIDO_U2F'] );
+			}
+		}
+
 		wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false );
 		?>
 		<h3><?php esc_html_e( 'Two-Factor Options', 'two-factor' ); ?></h3>
@@ -1732,7 +1753,7 @@ public static function user_two_factor_options( $user ) {
 				</tr>
 			</thead>
 			<tbody>
-			<?php foreach ( self::get_providers() as $provider_key => $object ) : ?>
+			<?php foreach ( $providers as $provider_key => $object ) : ?>
 				<tr>
 					<th scope="row"><input id="enabled-<?php echo esc_attr( $provider_key ); ?>" type="checkbox" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php echo esc_attr( $provider_key ); ?>" <?php checked( in_array( $provider_key, $enabled_providers, true ) ); ?> /></th>
 					<th scope="row"><input type="radio" name="<?php echo esc_attr( self::PROVIDER_USER_META_KEY ); ?>" value="<?php echo esc_attr( $provider_key ); ?>" <?php checked( $provider_key, $primary_provider_key ); ?> /></th>

providers/class-two-factor-fido-u2f-admin.php

@@ -61,6 +61,15 @@ public static function enqueue_assets( $hook ) {
 
 		$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
 
+		// Disabled interface if there's no keys.
+		if (
+			! $security_keys &&
+			/** This filter is documented in class-two-factor-core.php */
+			apply_filters( 'two_factor_u2f_disabled', true )
+		) {
+			return;
+		}
+
 		// @todo Ensure that scripts don't fail because of missing u2fL10n.
 		try {
 			$data              = Two_Factor_FIDO_U2F::$u2f->getRegisterData( $security_keys );
@@ -164,6 +173,15 @@ protected static function asset_version() {
 	 * @param WP_User $user WP_User object of the logged-in user.
 	 */
 	public static function show_user_profile( $user ) {
+		// Don't display if the user cannot configure it.
+		if (
+			! Two_Factor_FIDO_U2F::get_instance()->is_available_for_user( $user ) &&
+			/** This filter is documented in class-two-factor-core.php */
+			apply_filters( 'two_factor_u2f_disabled', true )
+		) {
+			return;
+		}
+
 		wp_nonce_field( "user_security_keys-{$user->ID}", '_nonce_user_security_keys' );
 		$new_key = false;
 

readme.txt

@@ -6,15 +6,14 @@ Stable tag:   0.9.1
 License:      GPL-2.0-or-later
 License URI:  https://spdx.org/licenses/GPL-2.0-or-later.html
 
-Enable Two-Factor Authentication using time-based one-time passwords, Universal 2nd Factor (FIDO U2F, YubiKey), email, and backup verification codes.
+Enable Two-Factor Authentication using time-based one-time passwords, email, and backup verification codes.
 
 == Description ==
 
 Use the "Two-Factor Options" section under "Users" → "Your Profile" to enable and configure one or multiple two-factor authentication providers for your account:
 
 - Email codes
 - Time Based One-Time Passwords (TOTP)
-- FIDO Universal 2nd Factor (U2F)
 - Backup Codes
 - Dummy Method (only for testing purposes)