IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [u2f]

Universal Second Factor (U2F) is a protocol for strengthening online authentication.

U2F (Universal Second Factor) is a protocol for strengthening online authentication, originally developed by Google and now in the hands of the FIDO alliance.
It requires that a website supports U2F and that the user has a U2F device.

  • A user logs in using a username and password as normal, but the website can require a further verification (second factor) at any time.
  • When asked for the second factor, the user must present their device to provide further authentication. The device can connect to the client machine as a USB device or via NFC.
  • After connecting to the client machine it can provide the requested further authentication. The device itself can be locked using, for example, a 4-digit PIN.

Sources:
Official U2F specification
Wikipedia entry on U2F

75 questions
3
votes
1 answer

FIDO U2F - MacOS TouchBar

I understand how FIDO works with yubikey: Yubikey device has a symmetric key and it uses appId, nonce and symmetric key to generate key pair for a website. And the device gives back public key and keyHandle (which can used to generate private key)…
Jack
  • 63
  • 5
3
votes
1 answer

Yubikey - WebAuthn and U2F

I have a yubikey which supports only U2F. It doesn't support FIDO2. I read about U2F and i understand how it works. When i test my Yubikey for WebAuthn on https://webauthn.io it works. I wanted to know how WebAuthn works with my Yubikey when there…
Jack
  • 63
  • 5
3
votes
1 answer

How do FIDO keys prevent MITM reflection attacks?

FIDO keys, used for 2 factor authentication are based on a challenge-response mechanism. Besides generating a common 1-time-key using diffie-hellman, or transferring all data over TLS, how can they prevent reflection attacks? Challenge: Alice -> Eve…
Bharel
  • 133
  • 5
3
votes
0 answers

USB-C and NFC U2F Keys

Are there any commercially available U2F keys that support both USB-C and NFC? So far I've looked at Yubico which seems to have a USB-C model that doesn't have NFC support or a USB-A model that does support NFC. I've also found the solokeys site…
Gregory Arenius
  • 171
  • 6
3
votes
0 answers

How much storage is on a Google Titan Key?

I've been messing around with my Google Titan Key and learned that each authentication challenge returns a counter for how many times the key has been accessed. The only way I can think that this works is that there's some storage on the device.…
Corey Ogburn
  • 732
  • 5
  • 15
3
votes
1 answer

What could MitM'ed U2F do?

Google has now released their "Titan" keys to the general store (albeit via a waitlist). When they first announced their product, Yubico, their chief competitor, decried the use of Bluetooth: Google’s offering includes a Bluetooth (BLE) capable…
Michael
  • 2,391
  • 2
  • 19
  • 36
3
votes
0 answers

How do security properties of Trezor's FIDO U2F differ from Yubikey?

Aside from being a bitcoin wallet, the Trezor supports FIDO U2F and seems to offer some unique benefits over a Yubikey: The keys are always generated on the device and never rely on the manufacturer supplied secrets. (vs. yubikey issuing the key,…
Jonathan Cross
  • 1,548
  • 1
  • 12
  • 25
3
votes
1 answer

U2F protocol - Counter value & device cloning

My question is about the U2F protocol and more precisely cloning detection. According to the doc : "If there is a possibility that a U2F token can be cloned, we also need some way to detect it. We can do this by having an operation counter. Every…
QBl
  • 55
  • 3
3
votes
2 answers

Can the U2F standard be used by servers to impose a specific category of hardware?

I don't like that browsers, email clients, etc. come bundled with CAs and that there is no emphasis for a more decentralized authentication mechanism. Fortunately, it's not too bad, because at the least, whatever is our favorite platform, we can…
Dominic108
  • 141
  • 4
3
votes
2 answers

generation of keys for U2F

When I buy an U2F device, say a Yubikey smart-card, does the vendor hardcode on it a private key that will be later used in a challenge-response mechanism by the user, or do they only put in there some kind of 'seed', which is later used to create a…
jj_p
  • 369
  • 1
  • 9
2
votes
3 answers

Vulnerabilities despite FIDO U2F?

FIDO U2F seems much more secure than one-time-passwords (OTP), especially TOTP, because of the challenge-response architecture. In what ways is a U2F user still vulnerable? I presume if a user's computer is compromised or the user loses their U2F…
Jeff
  • 123
  • 5
2
votes
0 answers

Use platform TPM as U2F for web applications

The Problem: Use the platform TMP of my Windows Laptop/PC (no external device or USB token) as U2F in a web application to check if it is a known device. My intended solution: I need to store/create something (Cetificate, Private/Public Key or…
MrMaavin
  • 71
  • 6
2
votes
3 answers

Is a hardware based 2FA more resistant to phishing than SMS or TOTP?

As I understand, modern phishing is kind of like a man-in-the-middle attack. Let's say, for example that User u has an account in Domain d where he has an SMS based 2FA enabled. This is what the phishing mechanism is like: Attacker presents a login…
Agnishom Chattopadhyay
  • 133
  • 4
2
votes
3 answers

Why would a U2F key be more secured than an OTP device?

I have a Yubikey 5, I can store a PGP key inside, it has OTP abilities, FIDO, NFC, etc... Which is great for a device like this. First of all, I understand how a smart card is more secured than an app/sms based OTP for instance, but seeing how the…
Max13
  • 195
  • 8
2
votes
2 answers

use custom 'key' for hardware security token

Using a hardware security token as a second factor is generally considered quite a boost in security. But one of the issues I'm having is how to backup the (digital) keys used in the hardware device (especially in cases when just adding multiple…
n0542344
  • 121
  • 2
1 2
3
4 5