Thoughts on U2F

published Apr 06, 2017 12:05   by admin ( last modified Apr 06, 2017 12:06 )

U2F is an authentication standard pushed by among others, Google. It is used for two factor authentication, where a USB dongle or NFC is used to cryptographically sign a response to a request from the party that requires you to authenticate. Here are my thoughts so far. I basically think it's good but I piled on more on the bad side below:

The good:

  • Cryptographically signing a response is really smart and potentially very secure. It is similar to how Bitcoin works. It is more secure, if the device signing has its own display so you can verify what it outputs. Otherwise you may just think you are signing something, and in fact your nefarious computer is in fact signing with something else.

The bad

  • It needs to communicate with a computer, and this is for obvious reasons done over a standard interface, such as USB. Which interface is a little bit over-expressive in its communication abilities. Which means that secure computers disable USB access. And now you have nowhere to stick your dongle.
  • A popular security measure now is sandboxing and virtualization, such as with Qubes OS. If you are using a dongle, you now need to route the USB port to that virtual machine.
  • Currently only Chrome supports it, but that may change. My Linux Firefox refuses, in spite of extension and udev rules. I may have done something wrong but then again, there you go.
  • Many sites and services seem happy with OTP, and are not in the process of switching over: USB Dongle Auth List