Real World FIDO-U2F Use

Posted by JD 10/21/2015 at 01:00

FIDO-u2f is a newish standard to provide low-cost security devices as a second form of authentication. The normal way this works is

  • userid
  • password
  • on-time token (OTP or U2F or Oauth)

This provides added assurances that a week password won’t lead to account compromises. The U2F protocol makes the setup and daily use of a small USB device fairly simple.

Also, u2f is cross-platform primarily because it acts like a keyboard as far as the OS thinks, so Linux, OSX and Windows are each supported.

That’s the theory. Everyone seems to forget a few minor details.

Below I spell out what I’ve learned when setting up a Yubikey u2f device for use at a few online accounts. Google accounts, dropbox and github are the main accounts, but because google is an authenticator for many other online accounts, those are indirectly secured as well.

A YubiKey NEO firmware v3.3.x will be used as well.

Devices

Yubico makes a few different 2FA devices. I own 3 of these devices – a $50 Neo with NFC and 2 of the $18/ea U2F-only devices. Github had a special deal for the u2f devices for $5/ea.

The Neo requires setup on the device using specialized YubiCo software. It has multiple modes for use.

supports U2F plus OTP and CCID at the same time,

  • simple long passphase
  • U2F
  • OTP
  • NFC
    The Neo I have is not setup for U2F by default. Use the Neo-Manager software to enable it.
    I’ve setup the NFC authentication to unlock a Nexus4 smartphone. It doesn’t always work like I’d want and the rules are not clear for when the passphrase and/or NFC are needed. The passphrase is still required once the device has locked, which sort of defeats the purpose in my mind. The passphrase alone does still unlock the phone. Not quite 2FA.

There are other devices, made by other companies which are FIDO-U2F compliant. The use should be identical. It really should be a price decision without any impact on the resulting security. That is the theory.

Browser Compatibility

Google Chrome is the only, officially supported browser today.
The F/LOSS Chromium browser, on which Chrome is based, works with the Yubico device test login/authentication webpage . It was a nice little test to see this work. When it was time to press the gold-contact to perform the authentication, the usbkey flashed on and off. It was a clear signal that action was required. Used Chromium v45.x on Ubuntu 14.04 for this test. Both the Neo and U2F-only devices flashed clearly.

Google and Github Require A Smartphone

That’s correct. To even setup U2F using a USB token, both github AND google mandate that a phone number be connected to the account. Github mandates that it be a smartphone. I contacted github about this policy and got a real-human response. Kudos to github for that! Even if I didn’t like the answer, they had the common courtesy to reply.

currently a security key is designed to be used as an extra 2FA device in addition to using your phone.

For google, there isn’t any way to add a security key device without first setting up a phone number to be connected. Either SMS or voice can be used. One of my google accounts is for google-voice, so it obviously has 1 real phone number connected, but not specifically for 2-factor authentication. I haven’t set that up yet.

Linux udev Rules

To have either device recognized on my Ubuntu 14.04 server + GUI, I had to manually add a new udev file. Yubico has the file contents laid out in their Linux setup instructions for the device. I won’t provide a link here, since the contents of that file may change with new models. Found different versions of the udev file depending whether systemd was on the system or not.

After adding the udev file and making some other changes I needed to it, the devices were both recognized. No logout or reboot necessary. The udev file location is:
/etc/udev/rules.d/80-u2f.rules
I changed the number to make tab-completion easier. No harm in doing it.

Ubuntu PPA

Install the PPA for YubiCo.
sudo apt-add-repository ppa:yubico/stable sudo apt-get update sudo apt-get install yubikey-neo-manager yubikey-personalization-gui

Run neoman

  1. Plug in the YubiKey NEO
  2. Select all 3 options – OTP + U2F + CCID
  3. Click OK

More details

Run yubikey-personalization-gui

  1. Use slot 2 for the static password.
  2. Check the firmware version – I have v3.3.×. In v3.4.x some new features were added.
    I went with a longish, randomly generated, password with a huge alphabet. This may prove to be an issue, but the intent is to only use it for the 2nd-half of highly secure logins for encrypted items and physical system logins. It will never be used as the complete password for any of these things.

Luks Whole Disk Encryption

With this security, we may want to add a something you have option to the disk decryption.
$ sudo cryptsetup -S 1 luksAddKey /dev/sda5

  • -S 1 = fills slot 1 (of 8 available.)
  • /dev/sda5 = the physical partition that is encrypted.

it prompts for the decryption key from any other slot, then asks for the new decryption key to place into the slot specified. Again, don’t just use the static Yubikey password – add something you know to the beginning.

Updates

As I learn more, I’ll update here.

HowToGeek explains U2F.