Browser support is currently limited to Chrome, and possible Windows Edge*
For now it only works with USB. Bluetooth and NFC specs are out, browser support is the bottleneck
The protocol is public/private key based, with the private key strongly encouraged to be in tamper resistant/evident storage.
The protocol is authentication method agnostic. It doesn't care if you use a USB key, a retinal scan, a pin or divination.
You could write a software only authenticator if you wanted, but servers could detect that (and reject it if they chose to) through the attestation certificate you provided. You can't pretend to be a brand X authenticator, because only company X will have the private key(s) matching the attestation certs to sign (batches) of model X authenticator.
Yubikeys are just one implementation of a U2F authenticator. In theory GitHub now works with any present/future authenticators that talks U2F (modulo browser support) e.g. an iPhone+TouchID+NokNok SDK, a Pebble watch+app, an Android Phone+$your_app, an NFC implant, m-of-n wearables
* Microsoft announced something U2F related for Windows 10, I never got to the bottom of what exactly
Thanks for the link to your presentation. I'm currently implementing this in a Rails app and had a bit of a hard time to grok U2F with only the info from Fido site. Your talk will make it easier for my colleagues to understand U2F :)
Once you get it, don't forget to also use it with Dropbox and Google, which both predate GitHub in the U2F support. If you know any other provider, comment below, please!
Looks in the meantime it was overwhelmed, only 1 hour since your post.
> We are experiencing difficulties and the GitHub Special Offer is temporarily unavailable. We are working hard to fix the issue and appreciate your understanding.
> Keep an eye on Twitter (@yubico) for updates on when we will have the GitHub Special Offer available again.
Notice: load_plugin_textdomain was called with an argument that is deprecated since version 2.7 with no alternative available. in /nas/wp/www/cluster-50027/yubico2/wp-includes/functions.php on line 3510
Notice: Use of undefined constant WOOCOMMERCE_VERSION - assumed 'WOOCOMMERCE_VERSION' in /nas/wp/www/cluster-50027/yubico2/wp-content/plugins/woocommerce-wootax/woocommerce-wootax.php on line 552
Fatal error: Class 'WC_Payment_Gateway' not found in /nas/wp/www/cluster-50027/yubico2/wp-content/plugins/yubico-payment/yubico-payment.php on line 16
This seems less convenient to me than 2FA using Google authenticator. I always have my phone with me. I don't want to bother bringing a USB key between home and work.
The user experience is also better with U2F than previous 2FA systems. When GitHub prompts you for U2F, you press the yubikey and are instantly logged in. No typing random numbers with n seconds, no fake keyboard.
YMMV of course, but if you've tried U2F, it feels incredibly slick.
I think the issue is that I have a laptop at home and iMac at work so I don't bring my computer on my commute. Also, I like the extra security of the fingerprint scanner on my iPhone.
Your iPhone is completely covered with your fingerprints. Also, if your phone gets hacked/compromised the attacker could steal the secret used to generate your TOTPs. This is not possible with the Yubikey, it is absolutely impossible to extract the private key.
I have a Yubikey on my keychain (it can easily withstand this), and it takes very little effort to plug it into the USB port when I require it. Less than it would be to take my phone out.
As a side-note, some time ago the Yubikey had a vulnerability with its GPG module so they shipped out new ones for free. I now have the old key (with no GPG keys loaded on it) permanently plugged into my USB hub at my desktop. It is amazingly convenient.
It's probably a lot easier to steal your keys than it is to dust his phone for fingerprints and go through all the trouble of then faking the print on the sensor.
Heck, all someone needs to do is grab the one permanently plugged into your USB hub on your work desktop after you've left for the day.
It's my desktop in my home. If someone breaks in (or steals the other yubikey from my keychain, and thus has the keys to my home) I have bigger issues. And they still won't know my password.
In that case, I might prefer an authenticator to a keyfob that requires insertion too. The yubikey is slightly more secure since it's actually signing a message from the server rather than sending a password that can be (briefly) intercepted and replayed. But it's probably not 'better enough' to encourage someone not to use 2FA at all if U2F isn't convenient.
If user security has taught us anything in the last 20 years, it's that security features have to be convenient or may as well not exist. I think we'll be seeing a lot more 2FA options in the next few years. In this segment, user choice is a huge improvement in and of itself. I've also been testing Duo push for some internal stuff, which is a phone-based experience that's as smooth as silk. To each their own!
OTP based 2FA is susceptible to phishing and MITM attacks. U2F is phish-proof and makes MITM more difficult.
For computers you frequently use, you can get multiple keys and leave them in the port (Yubico makes a small one that stays in the port and only sticks out enough for you to be able to touch it, but it's a bit pricey).
I've used a YubiKey for 2FA for a year or so now. It just sits in my USB port and it feels too convenient - steal my laptop and you get my key. At least my phone has a PIN.
Mine is on my keychain, plus you need my username, password and yubikey to authenticate, so if someone steals my laptop (oh noes!) they still have hurdles to jump.
U2F is protection against someone phishing/stealing your credentials online. Your password is your protection against someone stealing your laptop. The likelihood that a person who steals your laptop also managed to phish/steal your credentials is minute.
For me that key is the emergency key. I have it on my keychain. I use Google Authenticator normally. I don't yet have U2F key always inserted the computer in my home but I think it would be convenient. I have a regular Yubikey inserted in the USB slot in my monitor to unlock Password Safe with a 25 char password. I don't think I would like it permanently inserted on a device I carry outside of my home.
Most of the USB keys are in a form factor that fits well on an existing key ring. If you are like most people, you presumably also already have a pile of keys connected to a key ring on you at all times.
You don't have to unlock your phone device and launch the appropriate app, you just need to plug into an open USB slot on the machine you are using.
This is actually more convenient sometimes. I already have one of these FOBs permanently attached to my computer. It's a tiny pieces that fit into usb and only protrudes a couple of milimiters. Since I have this always connected all I have to do is touch it and I'm in. Takes me less than once second while taking my phone, opening the app and typing the code by hand takes 10-20 seconds.
The downside is that it takes a USB port, which is one of the reasons I hated this years MacBook so much.
Dumb question... what does the yubikey then do that a normal computer can't do? If you keep it plugged in, what security benefit does it have over storing (strong) passwords?
One thing to consider is the possibility of your phone itself being compromised (stagefright et al.). Note how Duo issued a security advisory to limit access for Android devices [1].
A fully isolated component like a Yubikey has a smaller attack surface area for these kinds of things (easier to audit smaller code, no sustained Internet or cellular connectivity).
Uh. U2F feels incredibly limited compared to PKCS#11 I really wonder why it was chosen (and somewhat disappointed by the choice.)
With a smartcard that can hold an key pair, one can both authenticate (sign) and encrypt messages, using a same single key (or multiple keys if wish for multiple identities). With U2F all one can is authenticate, using a distinct securely-stored PSK for each remote party.
The infrastructure around smartcards is designed for one enterprise to pay another enterprise millions of dollars to roll out Active Directory-based authentication for a Windows domain with hundreds of thousands of users, for a multinational corporation to roll out a payment card, etc.
A single hobbyist maintains an open-source tool that allows applets to be loaded on to GlobalPlatform-compliant cards. It's pretty fragile and requires some trickery and tribal knowledge. You have to hope some forum somwhere has the unlock key to allow applet loading on whatever card you bought. Another single hobbyist maintains a PKCS#11-compatible card applet, PKIApplet. It requires a relatively modern JavaCard version and compatible JavaCards are not always available for individual purchase in the U.S. If you're prepared to really get down and dirty with DIY trickery, you might manage to load PKIApplet onto a JavaCard with GlobalPlatformPro.
Actually using it requires OpenSC, not a shining example of usability or code quality. It requires specific drivers for different cards, each having slightly different personalization procedures. Many of the drivers in it are for cards that can no longer be purchased. PKIApplet appears to have a driver in OpenSC but I haven't gotten an opportunity to test it yet. Much of the tooling you'll find references to in documentation turns out to have expired domains and abandoned SourceForge projects last updated 2002.
The OpenPGP route appears to be a little less sad than the PKCS#11 route, since at least Yubikey maintains a modern OpenPGPApplet.
If your Fortune 100 company's CTO wants to play golf with Gemalto, smart cards are for you. Otherwise, probably not. It makes sense that a modern personal 2FA solution would want to be free of all that legacy.
Makes sense. Enterprise shit is, indeed, terrible. However, I didn't mean there is any reason to support every JavaCard out there and existing (enterprise) software - and I suppose this is where it all really starts to smell. On the other hand, they have designed a whole new standard, protocol and devices.
I've edited this for quite long time and finally figured out what I really had in my mind. I'm not disappointed it's a new standard or anything like this. I'm disappointed by the fact that this stuff isn't extensible and nothing new can be build upon this.
Not in a sense that no new software can be added to a token, but when you use U2F you just have a means to prove you know some PSK. And that's it. Would the token hold a keypair and use digital signatures instead, it could bring much more possibilities in the long run. Like sending encrypted emails to the token owners, or building a global identity system where identities are something user possesses, not leases from the "identity providers".
I like this because I keep a U2F Neo-n device permanently in my laptop USB port. It's just more convenient for services that support it. In the future, I would like to require it for employees on our app.
However, when I go into Github to turn it on (in chrome using U2F devices I have already used with Google) it says "This device cannot be registered." Even when I remove the device it says that. I'm disappointed that the feature is not working.
I had this problem too, and it turned out my system wasn't configured correctly. I had to download https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rul... to /etc/udev/rules.d and then udevadm control --reload-rules . Worked fine after that. HTH.
Gah, just noticed you are using a different brand of device. Anyway, if you're on Linux, poking around the USB stack might point to a solution. It did for me.
Just a warning with the yubikeys. I had to use a solution that had these for a few months. The USB port of my laptop (2011 MBP) was pretty much worn out due the physical insertion and removal - other stuff would just fall out. Eventually this port blew entirely stopped working.
This is not specific to the MBP as a colleague's ThinkPad had the same problem.
Sod the Yubikey. Get a Pebble Time watch and install the QuickAuth app. One press of a button on my watch and I get a list of two factor auth codes for my various services, now including Github. Doesn't require plugging anything into my laptop. Doesn't require my phone to be near me or on. Doesn't require Internet access.
It's faster. No typing. No worry about malware stealing your OTP secret. It's easy to revoke a single device if you lose it without having to change your Authenticator secrets everywhere. And it looks cool.
I never understood the point of 2-factor authentication, and moreover, certain agencies (e.g. banks) that force using it. Can't we just pick good enough passwords?
Personally I hate being {attached to|associated with|being required to carry} a particular piece of hardware; I much prefer that information freely flows with me as I move between the various devices I interact with over the course of a day.
There are many times I don't carry my phone around with me or do not wish to, simply because I have a terminal that loads my personalized environment everywhere I go. Information flows with me, not hardware.
You're expressing a preference for convenience over security. The truth is that most people pick bad passwords, and even good passwords can be cracked.
2FA with a physical component is generally the best way to achieve the goal of "information flows with me". With a password only, you can more aptly describe the situation as "information flows with anyone who knows my password".
In that case, can we do 2FA with something biometric? Or even 2 passwords?
A physical component has a lot of issues:
* It can be stolen or robbed at gunpoint. Torture, drugging, and hypnosis aside, your mind is much more secure.
* It can run out of batteries.
* It's one more thing you can lose. It's already annoying enough to have to remember to carry 7 or 8 things every day, including a phone, bike light, smart watch, tablet, battery pack, reusable utensils, and so on. I don't want to have to add more things to this list.
* It can be damaged by the elements.
* It can be difficult to give access to others who you want to give access to.
* It may have security holes of its own, both in hardware and in software.
* When damaged or robbed, the user is highly inconvenienced, to the point that they are unable to access their own money/accounts/etc. How do get food, water, and get home from the middle of nowhere after your wallet and phone have been taken from your person? With password-only methods, you could theoretically find a nearby public terminal, log in with a simple username and password, and get an ride/call a friend/file a report/do whatever you need to do.
* If it relies on cellular service, it may not work internationally if the user changes SIM cards or devices. For many that live near border towns and cross borders every day for work, this becomes a massive inconvenience.
Biometrics make great usernames but poor passwords since they can't be changed. Imagine a fingerprint system of some kind - someone images your fingerprint from, say, a leftover coffee cup (not hard or expensive to do), and you're pwned.
The Yubikey does not run on batteries. It requires no cellular service. It can be damaged by the elements but not easily. Most electronics would break before it does. Of course you can lose it, but you can lose anything. Attach it to something you care about, such as your regular keychain. If you want to give access to someone, register a second key and lend that key to them. Then revoke when they don't need it.
> I never understood the point of
2-factor authentication
Ouch. People choosing bad passwords has been mentioned already but the real reason is because it protects against a broad range of MITM attacks as well as some sorts of phishing attacks.
The point is that without it, information just as freely flows to someone with your password across the world. Getting USB sticks like this is a win for me, I hate using my phone for 2FA as well, but something I can just toss on my key ring? Hardly a burden.
What if the thing you're trying to access from doesn't have a USB port? Like, an intelligent table surface, a digital wall, a smart goggle device, or even an tablet that only has a micro-USB port?
Information flow protocols and hardware should be abstracted and separated in the same way that we generally separate church and state in most modern nations. Otherwise, the innovation of either is going to be pulled behind by the other.
Likely the next step for those will be NFC communication. Yubikey NEO has this for example, and can be used with Android phones. Note that U2F uses challenge - response protocol so sniffing the radio waves will not reveal the secret.
A lot of services seem to love using SMS-based 2FA. Thing is, I've already made a personal decision to ditch SMS as antiquated technology (along with the telegram), in favor of e-mail, WeChat, WhatsApp, Facebook and other communication alternatives.
Since some apps apparently still want to cling to old technology, I have one SMS-enabled phone number -- a Google Voice number which forwards to my e-mail address. I don't need to carry my phone around to get my SMS messages. But then again, it's not really 2FA anyway, it's just an annoyance; effectively 2 passwords (one to login to the app, one to login to my e-mail to check my SMS messages).
Browser support is currently limited to Chrome, and possible Windows Edge*
For now it only works with USB. Bluetooth and NFC specs are out, browser support is the bottleneck
The protocol is public/private key based, with the private key strongly encouraged to be in tamper resistant/evident storage.
The protocol is authentication method agnostic. It doesn't care if you use a USB key, a retinal scan, a pin or divination.
You could write a software only authenticator if you wanted, but servers could detect that (and reject it if they chose to) through the attestation certificate you provided. You can't pretend to be a brand X authenticator, because only company X will have the private key(s) matching the attestation certs to sign (batches) of model X authenticator.
Yubikeys are just one implementation of a U2F authenticator. In theory GitHub now works with any present/future authenticators that talks U2F (modulo browser support) e.g. an iPhone+TouchID+NokNok SDK, a Pebble watch+app, an Android Phone+$your_app, an NFC implant, m-of-n wearables
* Microsoft announced something U2F related for Windows 10, I never got to the bottom of what exactly
For more detail I did a talk at EuroPython this year https://moreati.github.io/passwordspain/#/ https://www.youtube.com/watch?v=YSTsgldazSU