Chrome Storage Partitioning - Status and Recommendations
Issue
Loss of browser enrollment on Chrome
Context
Since end of August 2023, Chrome is deploying an update in order to prevent certain types of side-channel cross-site tracking, by partitioning the storage of third-party sites.
The effect can be visible for the users after a browser upgrade, for browsers based on the Chromium technology:
Chrome - starting with version 115 and will continue until version 127
Edge - starting with Edge 119
In short, the effect of this change is that a browser enrollment performed on a connector A will no longer be shared with an enrollment on a connector B, and a loss of enrollment may happen during a Chrome upgrade.
As the effect of the change at each upgrade is not public, we cannot guarantee that the change in storage partitioning will happen only once in each browser.
This topic is still under investigation and research; please check this page regularly for updates
More information is available from Google: https://developer.chrome.com/en/docs/privacy-sandbox/storage-partitioning/
What should you do?
We recommend that you determine which case mentioned below apply to your service, and implement the proposed solution.
Should you have difficulties finding out which case apply to you, or implementing the solution, please contact our technical support.
Simple case: OIDC connector only
If your users are accessing the secure sites using the OIDC or the OIDC Azure AD connector and not using another connector, there is no impact. Below are the different cases.
Connector | Status |
|---|---|
OIDC only with
as login page. The login page is defined in the connector parameters. | NO IMPACT as the browser token domain and the page domain are the same. |
OIDC only with /neon page as login page | NO IMPACT as the browser token domain and the page domain are the same.
|
Simple case: SAML connector only
Connector | Status |
|---|---|
SAML Use of Virtual Authenticator or Helium as a browser token via SAML to access a secure site. | POSSIBLE LOSS - A Chrome upgrade can cause a loss of browser enrollment as the storage gets partitioned and is not accessible any more by the original site. SOLUTION: TrustBuilder Backup TrustBuilder Backup is a browser extension developed by TrustBuilder. It allows the user to keep his browser enrollment token in the event of an unintentional or intentional deletion of browser site data. For more information on TrustBuilder Backup, see TrustBuilder Backup browser extension.
→ if any future Chrome upgrade causes a loss of enrollment, it will be transparently restored by TrustBuilder Backup. Note: the first attempt to login after the Chrome update may fail. The second attempt will succeed. |
Simple case: ADFS Plugin
If you are using the ADFS plugin on your ADFS server - For more information https://docs.inwebo.com/documentation/microsoft-adfs-3-0-and-adfs-4-0
Plugin | Status |
|---|---|
ADFS Plugin in step-up mode, use of Virtual Authenticator or Helium to authenticate | POSSIBLE LOSS - A browser upgrade can cause a loss of browser enrollment SOLUTION: TrustBuilder Backup TrustBuilder Backup is a browser extension developed by TrustBuilder. It allows the user to keep his browser enrollment token in the event of an unintentional or intentional deletion of browser site data. For more information on TrustBuilder Backup, see TrustBuilder Backup browser extension .
→ if any future Chrome upgrade causes a loss of enrollment, it will be transparently restored by TrustBuilder Backup. |
ADFS Plugin in step-up mode, use of push notifications scenario to Authenticator | No browser enrollment, NO IMPACT |
Mixed case: OIDC/SAML/myinwebo.com
If your users are accessing multiple login pages via the OIDC connector, the SAML connector or the myinwebo.com selfcare, they may experience a loss of enrollment. Below are the description of the cases and the solution.
Case | Status |
|---|---|
OIDC and SAML Users are accessing secure sites via the OIDC / OIDC Azure AD connector and the SAML connector. | POSSIBLE LOSS - The enrollment for SAML or admin console is separated from the enrollment for OIDC (as the login pages do not belong to the same domain). The upgrade can cause a loss of browser enrollment for one of the two connectors. SOLUTION: TrustBuilder Backup
→ if any future Chrome upgrade causes a loss of enrollment, it will be transparently restored by TrustBuilder Backup. |
OIDC and myinwebo.com Users are accessing secure sites via the OIDC / OIDC Azure AD connector and also access the selfcare myinwebo.com |
Integration via mAccess Web
If you are using the mAccess Web SDK to integrate the TrustBuilder MFA into your web portal, here is the status.
Mode | Status |
|---|---|
“no iframe” mode | NO IMPACT as the browser token domain and the page domain are the same. |
iframe mode (default) | POSSIBLE LOSS The Chrome upgrade can cause a loss of browser enrollment. SOLUTION #1 Let the users install the TrustBuilder Backup browser extension (also called add-on). This requires an action from the end-users. https://www.trustbuilder.com/app-downloads SOLUTION #2 Use the “no-iframe” mode that was introduced in mAccess Web 3.13. See the documentation for more information: mAccess WEB version 3.13.0. This will make the browser token belong to the same domain as your page, and there will be no loss of enrollments. Note: changing the mode will cause a loss of enrollment for users already enrolled. |