What sites could you sign into with a cryptographic second factor before Google launched U2F? All that was out there were easily-phishable TOTP tokens. Now you can register a security key and use it as a second factor on desktops and phones. It's pretty impressive, though unfortunate that ultimately the industry picked a similar-but-different standard.
What sites currently let me authenticate with WebAuthn? (Github still uses U2F, it seems.)
Can I, though? I asked https://news.ycombinator.com/item?id=19316509 to see if there was a way to build a habit out of my security token. Not only did I not get responses there, but I haven't actually found that many places that support using a u2f token. There are an some that support it ok, but all require me to use chrome and none seem to support using it at least once a day. (Or anything like that.)
Today the backup practice is to enable 2 keys in all accounts: one that you keep with yourself, the other that you leave in a safe.
There's been some experiments of creating copies of the master secret, e.g. . Today you can do so either w/ u2f zero or with its upgrade solo hacker (note the hacker version), but we currently don't support it officially.
My personal advice as of now is to always have security key(s) + totp code. The security keys protect you against phishing, so if you click on an email link and get prompted for login, you're either safe (if you use the security key) or at least reminded about the risk (if you're used to use the security key but you don't have it with you at the moment). Viceversa, if you're directly logging into a website and you typed the url yourself, then totp offers the same security, so it's a totally valid alternative. Hope this makes sense.
Ok, I thought the whole point was that I couldn't get a secret off a token. :(
My biggest concern is that I don't have a solid method to build the habit of using the devices. I started using pass to generate and store passwords. That doesn't work with just u2f keys, though. That I could tell.
In my opinion, the root cause of this is that Linux made a conscious decision to not maintain binary ABI compatibility with device drivers.
Android is open source, and Linux-based. The licenses allow phone manufacturers to fork Android and integrate it with devices that only have closed-source binary blob drivers, without involving Google. The end result is a bunch of phones whose kernels (and thus OSes) are impossible to update. (I am told that Microsoft found this sufficiently frustrating and that it decided it would write its own drivers for the vast majority of hardware.)
Linux has a Very Good Reason to discourage binary driver compatibility -- it would rather see those drivers be open-sourced under GPL and moved in-tree. But the end result has seriously hurt the security of more than two-thirds of Android users -- users who otherwise should be inclined to choose open-source because they are paranoid about security.
I think the right answer is to require folks to have Android Q+ to continue to use security keys with an Android account, but I imagine that's not a viable choice because the optics would be that Google is doing a "money grab" in exchange for security.
"We’ve recently learned that Google Accounts has slipped their schedule for using Web Authentication to register new credentials. This delay is attributed to security key support on Android being, for most devices, non-upgradable."
Would be nice. Even with the experimental settings turned on in about:config, I could only read input from my Yubikey, I couldn't add one. I had to install Chromium just so I could add my Yubikey to my Google account.
FastMail is still using the old FIDO U2F API; we’ve been planning on migrating to WebAuthn since it was finalised, but investigation revealed that the migration would not be entirely straightforward (especially if tokens registered with WebAuthn needed to still work with U2F, which at the time was important but could probably now be skipped), so we deferred it, since the U2F support is adequate for most users. I expect this is the experience with many small teams that support the FIDO U2F API. Documentation on migration is difficult to come by; I think https://www.imperialviolet.org/2018/03/27/webauthn.html is the main source I’ve encountered.
Not a web dev. Is there a way to force U2F with firefox for google accounts? The lack of (obvious) U2F support in FF for Google accounts is one of the things holding me back from switching back to FF from Chrome.
"We agreed then to implement a hard-coded permission for Google Accounts when utilizing FIDO U2F API credential support, whether that was via Web Authentication’s backward compatibility extension, or via Firefox’s FIDO U2F API support hidden behind the “security.webauth.u2f” preference."
I've found the Firefox U2F support on Windows, especially with Google, quite temperamental. It will prompt me to touch my Yubikey and I will, only to get some failure. I can't work out what causes it but replygging and retrying a few times normally gets me logged in. Very irritating.