7

Using a U2F USB authentication key to login to services such as Google seems a good idea. However, these services often allow you to register a backup two-factor-authentication (2FA) method, which you can use in the event that you lose your U2F physical device.

The fact that you can just use a 'backup method' to login to these services seems to defeat the point of having the U2F key in the first place. If security is only as strong as the weakest link, then a hacker with password access to an account can just bypass the U2F device by claiming that the key went missing, using (for example) SMS.

On the other hand, people may not want to risk all their web account access to a single USB device. If it's attached to their keys, there's every chance it could get lost, left out in the rain, etc etc. Ideally, it would be possible to purchase two U2F devices that are registered with the identical 'secret'. By not allowing any other 2FA method, then in the event that the U2F device went missing, I would have a backup securely stored at home.

Question: Is it possible to duplicate U2F devices and set online services (such as Google) to only allow U2F, with no other backup method? Obviously if a user were to buy two U2F devices and they were to both go missing, then the user would be irreversibly locked out of their online accounts, but this would be a risk that the user would knowingly sign up to. I really can't see the point in switching to U2F devices unless this is an option.

CaptainProg
  • 133
  • 8
  • I'm not sure if it's possible to add duplicate (or two) U2F devices to Google but a way to not have any other backup might be to simply use all your backup codes and not generating any new ones. Have you tried this? – Jotunacorn Dec 19 '17 at 09:56
  • I'm not suggesting adding two devices from Google's perspective; I mean creating a duplicate U2F device. So as far as Google is concerned, there's only one device as they're identical. – CaptainProg Dec 19 '17 at 10:16
  • @CaptainProg Why would you want to do it that way? U2F devices are specifically designed to be difficult/impossible to clone, and from a security perspective it seems like you'd want to be able to revoke one key without revoking the other anyway. – Ajedi32 Dec 19 '17 at 16:24
  • My reasons are: (1) If I only have one device and I lose it, then I lose all my online accounts... *Unless* I have a backup account recovery option set up. In which case: (2) there's little point in having the U2F device in the first place, since a hacker can just switch the authentication method using the backup method. – CaptainProg Dec 19 '17 at 17:37
  • @CaptainProg (1) Well, no. You'd just use the second U2F device that you also added to the account. (2) How is that any different from how it'd be if you had a duplicate U2F device? – Ajedi32 Dec 19 '17 at 18:30
  • 2
    Okay - so I can buy two U2F devices. I hadn't realised that websites would support two U2F devices. But if they do, then that method would clearly work. As for (2), the difference would be that if I have two devices, I would be happy to disable all other account recovery options. But I wouldn't be happy to do that if I had only one device. So assuming all these web services support having two U2F devices with different IDs, then this solves the problem. – CaptainProg Dec 19 '17 at 22:30

4 Answers4

3

If the service you are using support multiple different U2F devices you may add more than one to the service. In the Google case I belive they support more than one device linked. To dissable the backup security codes you may simply use them all.

You can not duplicate your U2F device, but there may be manufacturers selling pairs. By design the U2F device should be write-only i.e. only returning replies to challanges, not the secret stored. Allowing the secret to be read (in order to create a duplicate after creation) may pose a security risk since someone obtaining your U2F device may create a duplicate without your knowledge.

Jotunacorn
  • 181
  • 2
  • What I'm struggling to understand is how the U2F system is truly secure if you can't get a backup device. Because, if the only way to have a backup is to rely on a less-secure authentication method (such as SMS), then there is no point in the U2F device in the first place. It seems that the user has to choose between either not setting a backup option (which risks losing all your online data to something like leaving your keys out in the rain), versus not using the U2F device in the first place, as security is only as strong as the weakest link. Perhaps I'm missing something important here... – CaptainProg Dec 19 '17 at 17:41
  • Of course, if there *are* manufacturers selling pairs of devices, then this would be the solution. But I've not heard of such a thing. So what extra security is it that people think they're getting when they buy *one* device? (Unless they disable all other account recovery options, but do people really risk all their online account security on the stability of one small USB stick?) – CaptainProg Dec 19 '17 at 17:50
  • @CaptainProg At the moment of writing it, no major manufacturers sell pairs to my knowledge, but it is totally possible to use the open-source u2f-zero project (or its successor "solo"). I do that successfully. See my answer for details. – Dmitry Frank Mar 28 '19 at 10:07
2

Having two distinct security keys (which is the most suggested method of backup) is not convenient at all, because I have to add both of my keys every time I register on a new service, and it means that I can't keep the backup key stored very securely (as it needs to be easily accessible).

But the truth is: it is totally possible to have a pair of U2F keys which are set up in the following way:

  • When I register the primary token on some service, the backup automatically becomes valid for this service as well;
  • Just when I use the backup token on some service for the first time, the primary one is invalidated for that service.

(Read the technical details in the article linked below)

This way, I could store my backup key somewhere really secure and hard to reach, and whenever I register my primary key on some service, I have peace in mind knowing that I'm covered by the backup automatically.

For that, manufacturers would have to sell matched pairs of tokens set up in this way. At the moment of writing it, the only way to do that is to use U2F-zero or its successor Solo. I personally only used U2F-zero so far.

See all the details in the article Reliable, Secure and Universal Backup for U2F Token

Dmitry Frank
  • 195
  • 11
1

Short answer: Some sites allow you to turn off your backup option if using a U2F device, but doing so is at your own risk.

Long answer: Convenience and security are often at odds with each other. You are correct, having a backup login solution defeats the purpose of having the U2F key, as technically you could use your fallback method to bypass it. Any account is only as secure as its fallback authentication. If there is no fallback, then you are secure. You are also without recourse if you lose your U2F device. To my knowledge, no two U2F devices are created with the same private key, or at least they shouldn't be. If you had two duplicate U2F devices, this too would be a weakness in your security. It should be noted that a TOTP application is a relatively secure fallback as long as the device you're using is secured properly.

John
  • 769
  • 6
  • 10
  • 1
    Thanks. I now understand *why* you can't get duplicate U2F devices. To summarise what I've learned here, there are *some* websites that allow two (different) U2F devices to be registered simultaneously. But, as per your advice, it is sufficient to use a TOTP application as one of the two options. This would appear to be a good balance between security and convenience. Obviously this balance will be different for everyone. – CaptainProg Dec 21 '17 at 17:26
1

Google offers now Advanced protection, that does what you want (with two security keys).

Ricky
  • 216
  • 1
  • 4
  • 1
    Perfect. Although this wasn't available at the time of posting, this is exactly what I was looking for. – CaptainProg Aug 02 '18 at 10:05
  • I had a look at other websites (dropbox, amazon, twitter, facebook...) but google seems to be the only one that allows to use *only* security keys. – Ricky Aug 02 '18 at 14:45
  • So far so good for Google. I guess it might take some time for the others to catch up.. :) – CaptainProg Aug 06 '18 at 07:42