2FA, U2F & the YubiKey
Can it replace Google Authenticator?
If you’re even the least bit security conscious, you’re probably aware of two factor authentication (2FA). The idea is simple, yet brilliant: In addition to authenticating with a username and password combination, you also have to use a one-time code. The code is usually provided by a token of some kind, like a scratch card, or an app on your mobile phone.
Since the token is something physical that you normally bring with you or store somewhere semi-secure (“in a drawer”) at home, it’s virtually impossible for someone who have managed to get access to your username and password to log in: Without the token, they are missing the second factor in the authentication chain, the one-time password.
More and more sites are now supporting 2FA in one form or another. While this is a good thing, it might also have an unintended consequence: If you have a token from site A, that token will not work at site B, meaning that if you use 2FA on many sites, you can easily end up with a lot of tokens. Many sites use 2FA codes generated by the Google Authenticator app, which obviously helps a lot. But even though the use of Google Authenticator might be considered the de facto standard for 2FA, how to provide 2FA hasn’t really been standardized.
At least until quite recently. In May 2015, the FIDO Alliance - whose members include technological behemoths like ARM, Google, Microsoft and Intel, and financial heavy weights like American Express, PayPal, MasterCard and VISA - released the Universal 2nd Factor (U2F) specification. The U2F specification aims to make it possible for a single U2F device to work with any relying party supporting the protocol.
A few FIDO U2F certified products are now beginning to become available to consumers, and after doing a bit of research, I bought a YubiKey NEO from Swedish manufacturer Yubico. So how does 2FA with the YubiKey NEO stack up against, say, using Google Authenticator on a mobile phone? Let’s have a quick look at the pros and cons.
Pros
- No power requirement: The YubiKey doesn’t require any power. If you rely on 2FA from a mobile phone app and your battery is dead, you’re all out of luck. Some sites give you the option to configure a backup method for authentication in case you don’t have access to the 2FA app, but that method is often sending you a text message - which will also get you nowhere.
- No driver requirements: There is no need to download and install any drivers, the YubiKey will work on pretty much any computer, as long as the computer has a USB port.
- It’s tiny: Fits easily on your key chain.
- It’s not a target if you’re mugged: These days, the bad guys don’t want your key chain. They want your phone. And with that, they’ll also get all your 2FA codes. I doubt that they will use the 2FA app on your phone to get access to your accounts - the main reason they grab your phone is to quickly sell it for easy money - but no phone means no 2FA app for you.
Cons
- It’s hard to log in with a device that doesn’t have a USB port: No USB port means nowhere to connect your YubiKey. Some companies glue USB ports on their computer shut for security reasons. And what if you want to log in to a site with your mobile phone? It might be that it’s possible to solve this by using the YubiKey NEO’s NFC capabilities with an NFC compatible phone, but I’ve not had the chance to test that.
- You can’t make a backup of your YubiKey: You can’t make a backup of the 2FA configuration on the key and transfer it to another key. This is by design, and perfectly understandable, but a major inconvenience if you misplace or lose the YubiKey.
- The USB connectors are always exposed: There is no way to easily protect the USB connectors on the YubiKey. To me, this looks like a design flaw: It’s designed to be on a key chain and metal keys constantly rubbing against the connectors can’t possibly be a good thing.
- It’s yet another device: You already have your mobile phone with you wherever you go, why drag along yet another device?
- Very limited browser support: Right now, only Google Chrome supports U2F. This means that if you enable U2F on a site that supports it - and that’s not too many yet either - you’re stuck with Chrome. As far as I can tell, there’s no plans to add U2F support to Opera and there’s no real progress for Firefox either.
- Very limited site and service support: Right now, you can list all the sites that support U2F in one breath: Gmail and Google Accounts, GitHub, Dropbox, LastPass and WordPress.
- There’s no access control to the key: If someone gets their hands on your YubiKey, they have direct access to it. If you use your mobile phone app for 2FA, on the other hand, you can easily configure it to require a pin, password, pattern or something similar to unlock the phone.
As of right now, the cons undoubtedly outweighs the pros. The main problem is the very limited browser and service support. That’s the reason why I’m still using Google Authenticator for 2FA. But both browser and service support are likely to get better over time. When that time comes, I’m ready, and I’m looking forward to the day when a dedicated hardware device rules all second factor authentication.
If you want to use U2F but don’t want to get another device to carry around, there might be an option for you: Transakt U2F from Entersekt. Transakt is a mobile-phone–based authentication product with a light weight USB bridge that you can install on your computer. The bridge will allow your browser to connect with the U2F-enabled Transakt app on your mobile phone. I’m not sure how this will actually work in practice, but I’m guessing you have to connect your mobile phone to your computer with a USB cable. Not amazingly convenient, but it does mean you don’t have to carry an additional device. Unless you count the USB cable as a device. The feature is currently available in a closed beta, but you can read more about it on Entersekt’s blog.
So, yeah. The day when U2F support is widely available, both in browsers and services, will come. We’re just not there yet.
Feedback
vegard at vegard dot net
with your input. You can also use any of the other points of contact listed on the About page.Site hacks can expose your username and password, and a lot of people use the same username and password combinations on several sites. In those cases, all your other accounts have effectively been hacked as well. Unless you have 2FA enabled.
You WILL use xmpp and sip once you adopt LTE.
I want to protect my accounts, but I do not want to divulge true identity information to 99% of the sites I use.
Because my policy is paramount I have lost access to all my yahoo accounts, a pox upon them, and outlook is more annoying to use. I lost access to my steam account because microsoft insisted on a mobile number DESPITE having setup 2FA TOTP weeks prior.
Microsoft needs some public shaming. TOTP is offered by outlook.com as an alternative to codes by mobile phone number via sms texting. The form will not accept numbers capable of sms texting which are not also attached to a mobile provider. TOTP is apparently a waste of time in their current security policies.
forsooth
I bought four YubiKey NEOs, and 1 U2F token from every manufacturer I could find on amazon, or supported by lively f/OSS projects.
I will not use the google ecosystem; Privacy Rape is never acceptable.
It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.
The Contra Chrome comic explains why this is bad, and why you should use another browser.