The FIDO/Google blog post about it: <a href="https://fidoalliance.org/case-study-series-google-security-keys-work/" rel="nofollow">https://fidoalliance.org/case-study-series-google-security-k...</a><p>And the actual study: <a href="http://fc16.ifca.ai/preproceedings/25_Lang.pdf" rel="nofollow">http://fc16.ifca.ai/preproceedings/25_Lang.pdf</a><p>(Which helps answer some of the arguments in the discussion thus far. In particular, on page 11, they list the systems they compare against: SMS OTP, Google phone-based OTP, and three hardware tokens, including the FIDO U2F. They compare in Figure 6 explicitly with SMS OTP and app-based OTP.)
The comparison is to "One Time Passwords (OTP)via SMS phone messages."<p>Given the vulnerabilities in GSM, that's not a high bar.
<a href="http://security.stackexchange.com/questions/11493/" rel="nofollow">http://security.stackexchange.com/questions/11493/</a>
Yea seems right, U2F keys are very sound security-wise. The biggest challenge I've found is the obvious: ease of use. It can be kinda clunky to need to pull out a key and plug it in to a USB port in order to log in to Github, for example.<p>That said, this is mitigated pretty well usually with the "thumbnail USB" style key (like Yubikey has) where you pretty much keep it plugged in all day and click it when you need to access something. Security is still maintained as we're mostly concerned about remote attackers, though still a good idea to pull the key out at the end of the day or if leaving the laptop for a considerable amount of time.<p>Physical ease of use will definitely be the trick for mass adoption. I recall seeing wireless U2F keys at some point?
It would be nice if Google helped to fix the bug which causes Chromium to crash on *BSD when presented with a U2F auth req.
(<a href="https://bugs.chromium.org/p/chromium/issues/detail?id=451248" rel="nofollow">https://bugs.chromium.org/p/chromium/issues/detail?id=451248</a>)<p>Ever since adopting a security key, I've had to set my user-agent to Firefox (to prevent the U2F auth attempt) and fall back to Google Authenticator for 2FA.
One thing that struck me while reading this announcement is that if Apple had gotten on board with this idea the latest MacBook Pro may have had a better reception. Imagine hardware specifically built into your laptop to facilitate FIDO U2F security keys. Whether that's a device like those offered by YubiKey or an NFC reader, making U2F available and simple to use would be a great thing. Maybe it could even replace GPG/PGP for common uses.<p>Then again, maybe the recent Bluetooth 5 announcement will be enough to drive adoption. Or possibly the next iPhone / Pixel could act as a U2F device. Maybe then we could get "normal" people to use real security instead of asking them what street they grew up on or what their mother's maiden name is.
If someone could give the U2F OpenSSH patch some love, that would make my year.
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2319" rel="nofollow">https://bugzilla.mindrot.org/show_bug.cgi?id=2319</a>
That's great, but when I try to use a NFC FIDO U2F key with my Google account, it says "Security Keys are not support on your device." The same key on the same device works just fine on Github (running Chrome for Android).
How can I use U2F for Windows sign-on? Windows 10 "Hello" stuff is apparently in the pipeline, but I need U2F domain authentication for Windows 7+.<p>Also curious if I can use a U2F for anything PGP-related, signing or encrypting regular stuff.<p>All this to save $20/piece!
Highly misleading headline (EDIT: Title has now been changed). From the article:<p>> <i>including One Time Passwords (OTP)via SMS phone messages</i><p>That "SMS" bit is critical. OTP over SMS sucks. OTP using the same app that already manages my passwords (1Password) is a breeze. Sure, if I had a U2F Security Key already plugged in, then it would probably be even faster, but the downside is I need to have a physical key plugged in, and if I don't have that key with me then I'm screwed (whereas with 1Password I can get at my OTP codes from any of my devices).