IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [u2f]

Universal Second Factor (U2F) is a protocol for strengthening online authentication.

U2F (Universal Second Factor) is a protocol for strengthening online authentication, originally developed by Google and now in the hands of the FIDO alliance.
It requires that a website supports U2F and that the user has a U2F device.

  • A user logs in using a username and password as normal, but the website can require a further verification (second factor) at any time.
  • When asked for the second factor, the user must present their device to provide further authentication. The device can connect to the client machine as a USB device or via NFC.
  • After connecting to the client machine it can provide the requested further authentication. The device itself can be locked using, for example, a 4-digit PIN.

Sources:
Official U2F specification
Wikipedia entry on U2F

75 questions
34
votes
6 answers

Why don't PGP and SSH keys see more widespread use as a second factor when authenticating?

One of the major up-and-coming MFA methods is U2F, which relies on an initial key exchange and challenge-response mechanism. It's a relatively new protocol, and is only starting to see more widespread adoption, notably among big web entities like…
Jules
  • 1,240
  • 1
  • 10
  • 20
31
votes
3 answers

Is a USB security key trackable among websites?

If I have a security key (U2F key) like yubikey and use it on websites A and B and the owner of these two websites is the same, can the website owner know that I am the same user?
cooker
  • 391
  • 3
  • 6
20
votes
5 answers

Why do some FIDO security fobs use keyboard emulation mode?

I was troubled from the very beginning by the fact that my U2F security fob acts as a keyboard and theoretically is able to press any key when no one is looking. Sometimes I accidentally touch it and then screen goes mad because of all those…
IlliakaillI
  • 301
  • 2
  • 5
13
votes
2 answers

Which websites support U2F?

FIDO Alliance's Universal 2nd Factor (U2F) is a new and promising approach to replace passwords. The FIDO Alliance comprises of many players but so far only Google website seems to support it. Are there other websites I can use to login with my U2F…
jans
  • 319
  • 1
  • 3
  • 8
12
votes
1 answer

FIDO and FIDO2 differences

I've been reading both FIDO and FIDO2 specs for a while tring to understand the similarities and differences between both. Here is how I broke it down so far: FIDO: First iteration in creating a cross industry standard for passwordless / 2fa…
Filipe Rodrigues
  • 398
  • 3
  • 13
9
votes
2 answers

Are FIDO U2F keys (like dual Yubikeys or dual Google Titan keys) undermined by the Google account recovery process?

According to the Google information page here: https://support.google.com/accounts/answer/6103523 If you don’t have another second step or forgot your password Note: 2-Step Verification requires an extra step to prove you own an account. Because of…
knaccc
  • 220
  • 1
  • 5
9
votes
1 answer

Privacy of U2F keys

If I use the same U2F key for two accounts on some service, could the service detect that and match the accounts? Equivalently, if I used the same U2F key for two different services, could the services collude to match accounts between them?
Colonel Panic
  • 2,214
  • 2
  • 22
  • 23
9
votes
3 answers

Why is U2F not good enough to be used as authentication?

In the context of low- and mid-security applications (ie, 95% of the web), why isn't U2F good enough to be the only factor? As far as I can tell, U2F very securely implements the "something you have" authentication factor. There's many web apps…
AstraLuma
  • 191
  • 1
  • 5
8
votes
1 answer

How do OTP USB sticks work?

I just discovered the YubiKey NEO which seems like a pretty awesome device for maintaining security for a variety of different things including computer login, SSH private keys, GPG private keys, and even password safes applications. I generally…
Naftuli Kay
  • 6,715
  • 9
  • 47
  • 75
8
votes
2 answers

Why is FIDO U2F an entirely different standard from FIDO UAF instead of just a subset?

As you may already be aware, the Universal 2nd Factor (U2F) standard is a standard for 2nd-factor authentication which allows users to authenticate to web applications using a USB hardware token. While reading up on this standard, I discovered that…
Ajedi32
  • 4,637
  • 2
  • 26
  • 60
7
votes
4 answers

Possible to use *only* U2F authentication?

Using a U2F USB authentication key to login to services such as Google seems a good idea. However, these services often allow you to register a backup two-factor-authentication (2FA) method, which you can use in the event that you lose your U2F…
CaptainProg
  • 133
  • 8
7
votes
5 answers

Can a smartphone strictly be viewed as the 'something you posses' factor for 2FA when it has no hardware token capability like smartcards?

It seems that 2FA purists seem to go for security keys (like ubikey or smart-cards) while others seem to have a more relaxt stance which even seem to include 'possession' of none physical elements like an email address, a phone-number or a push…
Tommy Bravo
  • 171
  • 3
7
votes
2 answers

Can a FIDO U2F device be used for symmetric encryption?

As I understand, U2F is mainly used for authentication. It uses challenge-response scheme to check if the device used for logging in is the same device which was used during registration based on shared secret. So the result of the process is a…
atok
  • 183
  • 7
7
votes
1 answer

Are there any risks associated with using a single U2F/FIDO key with multiple sets of credentials?

I recently got a FIDO U2F key (AKA a Yubikey). I currently only use it across a range of services, but could this be a security risk in any way? For example, if I use my U2F key to authenticate on a shady and/or insecure and/or malicious website,…
Jules
  • 1,240
  • 1
  • 10
  • 20
6
votes
2 answers

Is phishing ineffective against a Gmail account that has 2FA?

According to my knowledge, phishing basically only steals the email id and password, right?
Aeden Thomas
  • 89
  • 4
1
2 3 4 5