Using Universal 2nd Factor (U2F) hardware security keys for multi-factor authentication (MFA / 2FA) provides strong security and good usability — the best of both worlds. A standard hosted by the FIDO Alliance, U2F devices usually take the form of tiny USB keys that can be attached to keychains or plugged into computers on a near-persistent basis.
U2F uses a challenge-response authentication flow based on public-key cryptography, generating a new key pair and key handle for each registration. These application-specific keys prevent tracking devices between different user accounts: example.com cannot know whether User1 and User2 share the same device. (More technical details here.)
Because the cryptographic handshake happens automatically behind the scenes, without having to copy and paste codes, U2F is virtually impervious to phishing and man-in-the-middle (MitM) attacks. Usability is also markedly better than one-time-password (OTP) codes, as Google noted in a research paper based on a two-year study of U2F-based two-factor authentication in their organization. They found that user authentication time was reduced by nearly two-thirds, and authentication failures were reduced to zero.
In my own personal testing, U2F works well. Extremely well. So in the spirit of “Be the change you want to see in the world,” I vow not to build a new web application without support for multi-factor authentication in general, and U2F keys in particular.
The following desktop browsers support U2F keys:
- Firefox 57
- Opera 40+
- Chromium 38+
I currently use Firefox 57 for anything related to U2F. It’s a fantastic browser, and I highly recommend it for both users and developers. To enable U2F in Firefox 57, enter
about:config in the browser address bar followed by Return, and then type “u2f” to filter the list to
security.webauth.u2f. Double-tap the
false value to change it to
(Special shout-out to J.C. Jones and the Firefox team for working so diligently at getting U2F support into Firefox 57. Bravo! Please consider reaching out and expressing your thanks as well.)
Someone filed a WebKit issue in 2015, but as far as I know Apple has not commented on U2F support in Safari.
There is an open-source Safari extension that attempts to support U2F, but I was not able to get it to function properly.
LOL 🤷🏼♂️ — Microsoft lists U2F support for Edge as “not currently planned.”
In addition to USB, U2F also supports authentication via Bluetooth LE and near-field communication (NFC) protocols. Android supports U2F via Bluetooth and NFC, while there is currently no word from Apple regarding U2F support in iOS. However, given that iOS 11 now supports OTP via NFC, perhaps U2F support is not too far behind. One can dream.
I currently use three U2F devices:
- 1 × Yubico Nano 4C USB-C key — persistently inserted in notebook
- 2 × Yubico U2F USB-A key — one persistently connected to desktop, one as backup in secure location
If your notebook doesn’t have a USB-C port and you want a low-profile option that can be persistently inserted, you probably want the Yubico Nano 4 USB-A key.
My only complaint with the Nano keys is that it’s too easy to accidentally touch them and trigger OTP code eruptions wherever your cursor happens to be. Have a file selected? It just got renamed to gibberish. This annoyance can be addressed by downloading the Yubikey Personalization Tool and configuring your Nano as described in the aforementioned FAQ entry. Alternatively, macOS users can use the open-source yubiswitch status bar item to turn the device on/off via a hot-key.
So Where Can I Use U2F?
As excited as I am about U2F’s security and usability benefits, I am saddened at the few number of applications with which I can use it. While by no means comprehensive, Yubico’s list of services that support U2F consists of just 23 entries. Of those, I only use GitHub and GitLab. What about my banks and financial institutions? Health care organizations? Those are just two categories, of course, but to me they are the most important because they store the most sensitive information.
None of my financial or health care organizations currently support proper U2F. Not one.
The word “proper” here is key. A couple of my financial institutions claim to support U2F but then render it completely useless by allowing it to be bypassed via insecure SMS code-based recovery.
What You Can Do
As developers, I think I’ve made it clear what I believe what not to do, and what constitutes MFA best practices. So please… consider that carefully when implementing MFA in your systems.
As users, the best things we can do are:
- be vocal
- vote with your feet
Do you have accounts at organizations that don’t support U2F? Call them out on Twitter, Facebook, and other social networks. Voice your concerns via their support channels.
Browser vendors (i.e., Apple and Microsoft) shouldn’t get a pass here, either. Post a comment on the existing WebKit issue. Reach out to company representatives on social media and encourage them to support U2F.
And if advocacy doesn’t get anywhere, vote with your feet by taking your business and page views somewhere else. Switch banks. Use Firefox. Reward the organizations that take the security of your data seriously.
What are you waiting for? Make your voice heard.