Beyond Passwords: 2FA, U2F and Google Advanced Protection

We implemented 2FA on our logins in the past year. I&#x27;m also looking at implementing U2F. We&#x27;ll probably add this once there is enough of a user base.<p>IMHO the UX for all this stuff is very confusing to non technical users. People lose their phones, don&#x27;t print out the codes, or simply don&#x27;t understand how this works and do silly things like trying to use codes from the wrong account.<p>Since introducing 2FA , requests of people to reset their 2fa are a very regular thing for our support people. Especially when it concerns paying users, saying no is not really an option. So, resets are a common thing. I&#x27;ve since educated our people to at least not do this blindly but obviously, social engineering is a big problem with all this stuff. If this happens to us, you can bet it is an extremely regular thing for basically everything that has 2fa.<p>But my biggest worry with this stuff on my own accounts is somebody talking support into resetting 2FA on my accounts. I can do everything right and still get compromised because some underpayed support contractor falls for some social engineering hack.

I went through the Google Advanced Protection setup a few weeks ago. My only advice is that if you use Android, download the Smart Lock app <i>before</i> enabling Advanced Protection. If you don’t, you’ll get signed out of your Google account on your phone without a way to log back in (the Play Store won’t work without a linked Google account).<p>If you make this mistake, you need to then disable Advanced Protection, re-login to your phone, then download the Smart Lock app, and THEN re-enable Advanced Protection to get things working. Otherwise you’ll be locked out of your phone.

Clearly an improvement but let&#x27;s face it - once you loose&#x2F;break the keys you will have to go through an extensive verification process (up to 3 days according to google) and there is no guarantee you will pass that stage either. Let&#x27;s be mindful that more security is at the expense of less accessibility and in some places this is simply not going to cut it.

Too bad someone has to use only Chrome for U2F access. I wish Firefox was able to handle it in the same.way of Chrome&#x27;s way. Not even Chromium can work with it, at least not on Linux.

Can someone confirm, what is actual market coverage of U2F&#x2F;Yubikey? I am reading about it for some time now and it looks to me that only few web pages and&#x2F;or applications is actually supporting it. If that&#x27;s only to get secure access to Google or GitHub then it seems an overkill to me. Am I missing something?

Why is SQRL [1] not more popular?<p>[1] <a href="https:&#x2F;&#x2F;www.grc.com&#x2F;sqrl&#x2F;sqrl.htm" rel="nofollow">https:&#x2F;&#x2F;www.grc.com&#x2F;sqrl&#x2F;sqrl.htm</a>

FIDO U2F has a great anti phishing mechanism by incorporating the hostname.<p>However:<p>It&#x27;s too difficult to setup FIDO U2F for your own webserver. There is still no Apache module or nginx plugin that allows you to protect a directory of your document root.<p>Also U2F is not available for PHPBB. There is a plugin that appears to be unfinished and buggy since 2015.

&gt; The value proposition of a U2F device like the YubiKey is that not only must you have it present, it&#x27;s not subject to the TOTP being disclosed like with tokens that require the user to enter a password into a third-party service which could still be a phishing page<p>Could someone shed some light on this? What is it that prevents a phising page from basically proxying the crypto challenge from the website to your key and present your answer back?

I wish that SmartCards were used more for this purpose <a href="https:&#x2F;&#x2F;github.com&#x2F;OpenSC&#x2F;OpenSC&#x2F;wiki" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;OpenSC&#x2F;OpenSC&#x2F;wiki</a><p>There&#x27;s an applet you can load into your own JavaCard presumably <a href="https:&#x2F;&#x2F;github.com&#x2F;LedgerHQ&#x2F;ledger-u2f-javacard" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;LedgerHQ&#x2F;ledger-u2f-javacard</a>

For some reason Google Smart Lock doesn&#x27;t allow you to use a U2F Yubikey as a backup to the phone-based prompt. Seems totally absurd as a Yubikey is the perfect backup to a lost phone.<p>Also did I mention that if you use 2FA, Google&#x27;s &quot;find my phone&quot; functionality asks you to use your phone to authorize the login before you can find it?<p>Yes. You heard that right. Use your phone to find your phone. Don&#x27;t ask me how I know.

Really hope apple adds u2f (native&#x2F;safari) support at some point in the nearish future.

I&#x27;d like to see another article showing the steps to go through if you lose your keys.

It continues to be an annoyance that we have this great technology in the form of U2F, but Office365&#x2F;Azure (where troyhunt.com&#x27;s MX records currently point by the way) doesn&#x27;t support it. In fact their UX still strongly pushes you towards SMS if you don&#x27;t know where to look.

$20 for one in a bundle? Why is it so expensive? I get a 4-core 1.3GHz 1GB RAM SBC I can run desktop and all the crypto in the world on, incl. shipping from China for less than the price of a single U2F knob.<p>I&#x27;d pay $2-3 max per piece. Especially since you need more than a few in order not to cause yourself more trouble than this is worth (to someone who already uses random unique passwords and emails for services).

Does anyone know if Google allows registering more than 2 keys?<p>Like what if i want to register 3 or 4 keys for advanced protection?

&gt; Now, hopefully the problem here is already self-evident but let&#x27;s just be crystal clear anyway: adding a second step to authentication should not be seen as an excuse to weaken the first step. I&#x27;m hesitant to call this guy&#x27;s approach 2FA (if it&#x27;s true MFA at all), it&#x27;s more like 1.5FA or something thereabouts. The point is, use the approaches above as additional security controls, not as an excuse to weaken existing ones!<p>Well, right now I use passwords of the form j6lqPKQKQ1RHv87PES4iy5; it&#x27;d be nice if using U2F meant that I could securely switch to something like &#x27;correct horse battery staple&#x27; instead …

Amidst all the potential ways in which even 2FA can be compromised, I am surprised no one is mentioning the biggest benefit of using 2FA- the ephemeral nature of 2nd password. Not only it protects against misuse of stolen credentials, but it also allows to centrally disable the 2nd password should any leak occur. Is this one of the stated goals of 2FA design?<p>In my view, this makes 2FA an essential security feature, not just a nice improvement over 1FA.

Here&#x27;s what I&#x27;d like to see in a 2FA &quot;something you have&quot; device: You could just leave it in your pocket, and you wouldn&#x27;t have to interact with it. It would also unlock your computer when you sit down at your desk and lock it when you leave.

Does anyone know if Smart Lock for iOS works with the new Yubikey 5 NFC, or is it still necessary to use the Feitian Bluetooth device?

This is complicated(even for developers) and requires additional devices. People hate extra devices. Verdict: fail!

Has anyone seen external reported audits of code &amp; hardware for keys like Yubikey, Google Titan?

I wonder if he&#x27;ll do an article on webauthn... that seems fairly promising as well!

Am I correct in seeing that U2F can&#x27;t be enabled for G-Suite accounts yet? I can&#x27;t find the setting in the Admin panel.

&gt; Password and SMS<p>I see no mention of SS7 attacks, is that a solved problem?