Real FIDO(2) Usage?


#1

I just played a bit around with my two FIDO U2F Keys and I am a bit disappointed. While the NK works very well, I am running out of Use Cases. Most of my Websites (including this one) don’t support FIDO
U2F.

  • Google apps don’t support Safari on macOS ( even with the build plugin ) and could be used with the authenticator on the mobile phone.
  • This site is also using Googles Authenticator
  • Same with Microsoft Office 365 - they support MS Authenticator as App.
    So what is left ?
    I could use Firefox+FIDO to 2FA my google accounts. I am asking and wonder, if a development of a FIDO2 has really a market ?
    Maybe other could correct me and share their Use Case ?!

#2

Hi
you can have a full overview of supported services on dongleauth.info.

The Google apps should support other browsers (German News page) soon.

Unfortunately, some sites only allow U2F after another second factor option was enabled. May this is the case in your examples.


#3

Of course I checked the web-site dongleauth.info ( and you mentioned in a req. on git , that you don’t have enough time to make a filter to show only websites that supports U2F). But when you look at that list of sites, only very few are supporting U2F.

Yes, it works with Firefox - but not with macOS Standard Browser Safari. But there is no need for it as Google Authenticator works very well.

Using the mobile phone and an Authenticator is very easy, so there is no need to use a U2F hardware key ( and maybe specially on Mac’s where the Standard Browser doesn’t support U2F ) .

The only real use case for me ( at the moment ) would be a login to my mac ( which is not supported )
I reviewed the hardware design of FIDO2 which has a new security chip and NFC - nice. But what will be the real use case ?

Is there an easy way to use it on my server without a “monster” like privacyIDEA ? E.g. an webserver module ?


#4

It depends on your server. :slight_smile: You could use it with Nextcloud for instance (without any additional server). In general you are right, that the potential of FIDO and WebAuthentication is much larger than the current state.


#5

Ah, NextCloud I might use, when I re-install a server and use NextCloud in a Jail.

Yeah, there is more potential. I am just afraid that the better solution will die. It is a bit like WhatsApp: Everybody knows, that FB is using the data from that App, but it is so easy & cheap to use, that people don’t care. The same with Google Authenticator: I am not sure if Google is not tracking your contacts to the installed 2FA sites to improve your profile. So an independent NK FIDO prevents such a tracking as it is always a 1:1 relationship.

Anyhow, maybe somebody else has some arguments for FIDO(2) that could be shared …
(Door opener and login :smiley: )


#6

Well, at least Mozilla is now default-enabling U2F in Firefox:
https://blog.mozilla.org/security/2019/04/04/shipping-fido-u2f-api-support-in-firefox

This removes the requirement to manually enable it (as outlined here: https://www.nitrokey.com/documentation/enabling-u2f-firefox ).

I use it for business GSuite Education 2FA on the go when I’m not at my desk to receive the 2FA phone calls since I delete the few allowed cookies from Google after tabs are closed or after closing firefox.
After a week of testing I was actually able to remove my desk phone from the GSuite account as the FIDO U2F works great.


#7

Hi, thanks for commenting ! You use it now as an alternative to the Google authenticator ( or better instead) so do I . To my mind, it would be much better than an ID driven phone, especially if you use “fake accounts”. I just wonder that not more support this - but maybe I should not wonder as a lot of companies want your (identified) data :smiley: