Hacker News new | past | comments | ask | show | jobs | submit login

I've been thinking about buying a YubiKey. Could you elaborate on how U2F protects against MitM and phishing?



U2F knows what domain you're using it with, and won't send an authentication token for google.com to phisher.com.


A password manager will do the same thing for you.

(I'm not arguing that PMs are >= to hardware 2FA, but they both will keep this exact thing from happening)


One key difference which made me appreciate the thought which went into U2F: people using password managers can still copy and paste the real password into the form, which they're somewhat trained to do by all of the large websites which don't have / don't have working single sign on.

With U2F that failure mode is impossible since you cannot get the private key to shoot yourself in the foot with, even if the phisher successfully convinces you to try.


Indeed it will. In fact, I'm not convinced U2F adds any meaningful security over a good password manager.


You know when your U2F device has been stolen because it's not in your possession anymore. The hardware is meant to be at least tamper-evident, if not tamper-resistant, so an attacker can't just steal the internal secret and put the device back where they found it.

Bytes in a password manager are hard to steal, but if you do steal them, the legitimate owner won't necessarily ever know.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: