2FA, U2F & the YubiKey
If you’re even the least bit security conscious, you’re probably aware of two factor authentication (2FA). The idea is simple, yet brilliant: In addition to authenticating with a username and password combination, you also have to use a one-time code. The code is usually provided by a token of some kind, like a scratch card, or an app on your mobile phone.
Since the token is something physical that you normally bring with you or store somewhere semi-secure (“in a drawer”) at home, it’s virtually impossible for someone who have managed to get access to your username and password to log in: Without the token, they are missing the second factor in the authentication chain, the one-time password.
More and more sites are now supporting 2FA in one form or another. While this is a good thing, it might also have an unintended consequence: If you have a token from site A, that token will not work at site B, meaning that if you use 2FA on many sites, you can easily end up with a lot of tokens. Many sites use 2FA codes generated by the Google Authenticator app, which obviously helps a lot. But even though the use of Google Authenticator might be considered the de facto standard for 2FA, how to provide 2FA hasn’t really been standardized.
At least until quite recently. In May 2015, the FIDO Alliance - whose members include technological behemoths like ARM, Google, Microsoft and Intel, and financial heavy weights like American Express, PayPal, MasterCard and VISA - released the Universal 2nd Factor (U2F) specification. The U2F specification aims to make it possible for a single U2F device to work with any relying party supporting the protocol.
A few FIDO U2F certified products are now beginning to become available to consumers, and after doing a bit of research, I bought a YubiKey NEO from Swedish manufacturer Yubico. So how does 2FA with the YubiKey NEO stack up against, say, using Google Authenticator on a mobile phone? Let’s have a quick look at the pros and cons.
Pros
- No power requirement: The YubiKey doesn’t require any power. If you rely on 2FA from a mobile phone app and your battery is dead, you’re all out of luck. Some sites give you the option to configure a backup method for authentication in case you don’t have access to the 2FA app, but that method is often sending you a text message - which will also get you nowhere.
- No driver requirements: There is no need to download and install any drivers, the YubiKey will work on pretty much any computer, as long as the computer has a USB port.
- It’s tiny: Fits easily on your key chain.
- It’s not a target if you’re mugged: These days, the bad guys don’t want your key chain. They want your phone. And with that, they’ll also get all your 2FA codes. I doubt that they will use the 2FA app on your phone to get access to your accounts - the main reason they grab your phone is to quickly sell it for easy money - but no phone means no 2FA app for you.
Cons
- It’s hard to log in with a device that doesn’t have a USB port: No USB port means nowhere to connect your YubiKey. Some companies glue USB ports on their computer shut for security reasons. And what if you want to log in to a site with your mobile phone? It might be that it’s possible to solve this by using the YubiKey NEO’s NFC capabilities with an NFC compatible phone, but I’ve not had the chance to test that.
- You can’t make a backup of your YubiKey: You can’t make a backup of the 2FA configuration on the key and transfer it to another key. This is by design, and perfectly understandable, but a major inconvenience if you misplace or lose the YubiKey.
- The USB connectors are always exposed: There is no way to easily protect the USB connectors on the YubiKey. To me, this looks like a design flaw: It’s designed to be on a key chain and metal keys constantly rubbing against the connectors can’t possibly be a good thing.
- It’s yet another device: You already have your mobile phone with you wherever you go, why drag along yet another device?
- Very limited browser support: Right now, only Google Chrome supports U2F. This means that if you enable U2F on a site that supports it - and that’s not too many yet either - you’re stuck with Chrome. As far as I can tell, there’s no plans to add U2F support to Opera and there’s no real progress for Firefox either.
- Very limited site and service support: Right now, you can list all the sites that support U2F in one breath: Gmail and Google Accounts, GitHub, Dropbox, LastPass and WordPress.
- There’s no access control to the key: If someone gets their hands on your YubiKey, they have direct access to it. If you use your mobile phone app for 2FA, on the other hand, you can easily configure it to require a pin, password, pattern or something similar to unlock the phone.
As of right now, the cons undoubtedly outweighs the pros. The main problem is the very limited browser and service support. That’s the reason why I’m still using Google Authenticator for 2FA. But both browser and service support are likely to get better over time. When that time comes, I’m ready, and I’m looking forward to the day when a dedicated hardware device rules all second factor authentication.
If you want to use U2F but don’t want to get another device to carry around, there might be an option for you: Transakt U2F from Entersekt. Transakt is a mobile-phone–based authentication product with a light weight USB bridge that you can install on your computer. The bridge will allow your browser to connect with the U2F-enabled Transakt app on your mobile phone. I’m not sure how this will actually work in practice, but I’m guessing you have to connect your mobile phone to your computer with a USB cable. Not amazingly convenient, but it does mean you don’t have to carry an additional device. Unless you count the USB cable as a device. The feature is currently available in a closed beta, but you can read more about it on Entersekt’s blog.
So, yeah. The day when U2F support is widely available, both in browsers and services, will come. We’re just not there yet.
Feedback
Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.
@vegardskjefstad yes, but you can use Authenticator as fail safe if you ever lose key.
Doesn’t that imply that the service have to allow configuring both U2F and "classic" 2FA through Authenticator at the same time?
I am holding out for 3 factor authentication but seriously I’m more worried about server side hacks than someone hacking my individual instagram acc.
Long time, no see, Owen. I hope you’re doing well.
Site hacks can expose your username and password, and a lot of people use the same username and password combinations on several sites. In those cases, all your other accounts have effectively been hacked as well. Unless you have 2FA enabled.
Yes, I am alive and well, still battling spammers in the comms. There is more and more baring on the users to protect themselves for hackers which big companies get a free pass. The companies go as far as to ask users for thier telephone numbers and to buy new hardware just to be secure. Secure from who really. There services are becoming more of a burden than they are worth.
Xmpp Texting delightI will not provide my mobile phone number. It would do most of the services little good because I actively block sms texting – I use only Xmpp Texting.
You WILL use xmpp and sip once you adopt LTE.
I want to protect my accounts, but I do not want to divulge true identity information to 99% of the sites I use.
Because my policy is paramount I have lost access to all my yahoo accounts, a pox upon them, and outlook is more annoying to use. I lost access to my steam account because microsoft insisted on a mobile number DESPITE having setup 2FA TOTP weeks prior.
Microsoft needs some public shaming. TOTP is offered by outlook.com as an alternative to codes by mobile phone number via sms texting. The form will not accept numbers capable of sms texting which are not also attached to a mobile provider. TOTP is apparently a waste of time in their current security policies.
forsooth
Xmpp Texting delightI have early adopted but I won’t use with anything other than testing accounts until ‘major’ sites allow multiple U2F bits of registration. One key for me, and another one for my safe.
I bought four YubiKey NEOs, and 1 U2F token from every manufacturer I could find on amazon, or supported by lively f/OSS projects.
I will not use the google ecosystem; Privacy Rape is never acceptable.
Since this article was written things have moved closer to what you are looking for with many major companies adopting FIDO based authentication (Microsoft, Intel, Google etc). FIDO also has the advantage that your device generates a different key for each site it registers with.
