Real FIDO(2) Usage?

I just played a bit around with my two FIDO U2F Keys and I am a bit disappointed. While the NK works very well, I am running out of Use Cases. Most of my Websites (including this one) don’t support FIDO
U2F.

  • Google apps don’t support Safari on macOS ( even with the build plugin ) and could be used with the authenticator on the mobile phone.
  • This site is also using Googles Authenticator
  • Same with Microsoft Office 365 - they support MS Authenticator as App.
    So what is left ?
    I could use Firefox+FIDO to 2FA my google accounts. I am asking and wonder, if a development of a FIDO2 has really a market ?
    Maybe other could correct me and share their Use Case ?!

Hi
you can have a full overview of supported services on dongleauth.com.

The Google apps should support other browsers (German News page) soon.

Unfortunately, some sites only allow U2F after another second factor option was enabled. May this is the case in your examples.

Of course I checked the web-site dongleauth.com ( and you mentioned in a req. on git , that you don’t have enough time to make a filter to show only websites that supports U2F). But when you look at that list of sites, only very few are supporting U2F.

Yes, it works with Firefox - but not with macOS Standard Browser Safari. But there is no need for it as Google Authenticator works very well.

Using the mobile phone and an Authenticator is very easy, so there is no need to use a U2F hardware key ( and maybe specially on Mac’s where the Standard Browser doesn’t support U2F ) .

The only real use case for me ( at the moment ) would be a login to my mac ( which is not supported )
I reviewed the hardware design of FIDO2 which has a new security chip and NFC - nice. But what will be the real use case ?

Is there an easy way to use it on my server without a “monster” like privacyIDEA ? E.g. an webserver module ?

It depends on your server. :slight_smile: You could use it with Nextcloud for instance (without any additional server). In general you are right, that the potential of FIDO and WebAuthentication is much larger than the current state.

Ah, NextCloud I might use, when I re-install a server and use NextCloud in a Jail.

Yeah, there is more potential. I am just afraid that the better solution will die. It is a bit like WhatsApp: Everybody knows, that FB is using the data from that App, but it is so easy & cheap to use, that people don’t care. The same with Google Authenticator: I am not sure if Google is not tracking your contacts to the installed 2FA sites to improve your profile. So an independent NK FIDO prevents such a tracking as it is always a 1:1 relationship.

Anyhow, maybe somebody else has some arguments for FIDO(2) that could be shared …
(Door opener and login :smiley: )

Well, at least Mozilla is now default-enabling U2F in Firefox:
https://blog.mozilla.org/security/2019/04/04/shipping-fido-u2f-api-support-in-firefox

This removes the requirement to manually enable it (as outlined here: https://www.nitrokey.com/documentation/enabling-u2f-firefox ).

I use it for business GSuite Education 2FA on the go when I’m not at my desk to receive the 2FA phone calls since I delete the few allowed cookies from Google after tabs are closed or after closing firefox.
After a week of testing I was actually able to remove my desk phone from the GSuite account as the FIDO U2F works great.

Hi, thanks for commenting ! You use it now as an alternative to the Google authenticator ( or better instead) so do I . To my mind, it would be much better than an ID driven phone, especially if you use “fake accounts”. I just wonder that not more support this - but maybe I should not wonder as a lot of companies want your (identified) data :smiley:

Unfortunately, we need to wait some more month as this is not in the stable build yet, as far as I can see. But good news indeed.

Sudoing with the Nitrokey FIDO U2F anyone?

Privacy Handbook has an article which recently was updated how to install and configure 2FA on your local box using the PAM package:

Their toot ( https://mastodon.at/@infosechandbook/101970576765486969 ) had the following notes:

– besides YubiKeys, you can also use Nitrokeys, or SoloKeys
– there are many more scenarios for U2F/WebAuthn
– post your own scenarios to help others

We have mentioned PAM at USB Dongle Authentication as well, but without as nice tutorial, as this one. Thank you for linking!

Just a quick corrections to the FIDO U2F devices comparison article (we should send them a toot too):

  • Sometimes, U2F secrets are generated by the manufacturer of the security token, then stored on the device and can’t be replaced afterwards. In theory, manufacturers could copy your secret U2F key.

Nitrokey FIDO U2F allows to reset its secrets via a Python client application (‘factory-reset’).

  • The Windows 10 update of September 2018 rendered the Nitrokey App useless. Due to this, users can’t access stored passwords and TOTP codes. (Last update: 10/31/2018)

We have offered a free replacement / firmware update due to that issue (edit: limited to devices with old firmware for users unable to use them through Nitrokey App on Windows 10).

Have you tried pam_u2f with NK’s ? I was wondering as it requires some yubico libraries …

I have not tried it by myself, but as far as I got it from description, it should work with any U2F device.

OK, I will give that a try and tell you afterwards :slight_smile: I think it depends a bit from the HW Configuration that is used through the libraries libu2f-host and libu2f-server from Yubico. I assume they use a USB Vendor-ID etc to recognize their key. But I will test it …

Sure! Please do. It should work - our device is mentioned in libu2f-host: https://github.com/Yubico/libu2f-host/blob/master/u2f.conf.sample#L103.

1 Like

Cool ! Thanks for checking that !

I’ve been using it for more than a week. Works just fine once you configure pam to your liking.

1 Like

Thank you for your reply it helped me a lot too! But then I see that you and other posters mentioned that the key works ‘in browsers’. What does this mean? Does it mean that the browser itself will help with the FIDO U2F, even on sites that don’t have it, or are we still limited to the 10 or so odd sites listed on dongleinfo?

Usage of FIDO U2F device is not limited to the browser, but particularly it was designed for it.
Browser has to have integrated FIDO U2F support, particularly implementation of U2F protocol to communicate with the device, and support Javascript API for handling the FIDO U2F features dynamically on the web page.
Web page side, it has to store public key of the device, so it could verify the signature, thus requires additional effort from the given web service to support it.
Hopefully it will become widely used in the near future, as has became OTP for 2FA. Support for nearly all browsers is added, and all main services are pushed to work with FIDO U2F / FIDO2 standards.

1 Like

@szszszsz thanks for the reply! Makes sense, both the browser must support this new kind of send/receive and the website itself must be able to handle the stuff.

When you look in Germany on teh articles of a big computer magazin, it looks like FIDO get some support. There was a big debate about pro’s and con’s. and one major argument was a HW defect could lead into trouble. So I hope a FIDO2 NK could be (identical) copied to another FIDO2 NK for backup purpose ?