Fido U2F Two factor authentication - first look with Google and Yubikey

Discussion in 'privacy technology' started by deBoetie, Nov 3, 2014.

  1. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    For those interested in the Fido Alliance U2F two factor security standardisation, here's my notes I made on my first look using a Yubikey U2F key plus access to Google using it. This supplements these earlier threads:

    https://www.wilderssecurity.com/thre...authentication-key-released-by-yubico.369367/

    https://www.wilderssecurity.com/threads/duo-security-announces-u2f-authentication-support.369474/

    Background

    This is a first impressions look at U2F Yubikey and connecting to Google accounts. I'm not a U2F expert, but do use the Yubikeys for their OTP and HMAC-SHA1 support (with LastPass, Windows Login and Password Safe). I've only tested on W7x64, not on any Android devices.

    The Fido U2F key is used by supported browsers to offer 2FA to supporting sites.

    What it's (currently) good for

    As of now, it would be a reasonable choice of 2FA for those who are strongly dependent on Google accounts for their important data, and who use Chrome. It adds convenience over relying on code entry from SMS etc. Nominally, it also adds this capability to Android devices with NFC.

    In addition, for those getting Yubikeys for their existing 2FA, having U2F capability would be a sensible addition. I would use it for real if it also became available on a financial provider (e.g. Paypal who currently use VIP), and a social media site.

    Current Browser support

    Chrome 38+ only
    Requires an extension to be loaded - this is poor.
    Chrome 38 didn't always seem to work (varied on machine) - and maybe associated with popup blocking or other add-ons.
    Chrome 40 did work. (Canary) without problems…. I had to agree a pop-up allowing access.

    The extension says it can:

    • Read and change all your data on the websites you visit
    • Access your input devices
    • Access your USB devices
    • Access the USB device from SGS Thomson Microelectronics
    • Communicate with cooperating websites

    Yubico u2f test

    Worked OK, but didn't give option of no-press authentication, at least for the U2F-only key.

    Google authentication

    Is an overlay on Google's existing phone/one-time-pad code authentication, and U2F comes first if you've enrolled a key. You can choose the other methods if you don't have your key (I guess this is their way of recovery). It is also possible to enable application support (e.g. Outlook) with a generated password because applications don't do U2F 2FA.

    You can apparently enrol/register more than one key. A key can be registered in more than one account.

    The good things

    The U2F keys are cheap, battery-less and robust, only need a temporary USB port - so it could become "universal".
    There is at least one alternative (and cheaper) U2F key supplier to Yubico - I have no knowledge of them apart from the FIDO claim and the price - but the keys could become cheap and mass-produced.
    The dedicated YK U2F keys are plug-and-go, no configuration required
    Apparently, it does work with Android devices supporting NFC with the YK Neo with U2F support.
    U2F is standardised and cross-industry supported.
    U2F is potentially quite good at privacy and security, it's doing some of the right things.
    From a privacy point of view, the relationship is with the site only, a certificate is generated per domain. The site does not know where else you are logging in.
    From a security point of view, there is protection against phishing, phoney domains and MITM; and operator presence with the key can be required. Strong public key cryptography is used.
    For Google authentication:
    Google does allow you to register more than one key per account (allowing backup keys)
    Google do offer the ability to register alternative account passwords for applications such as Outlook (which knows nothing of 2FA)
    There are rich alternatives available in case your U2F device is missing/broken
    U2F offers one of the best current opportunities for a sensible move away from weak authentication - if the industry doesn't take this, I don't think there will be an acceptable answer, only fragmentation and pain.

    The bad things

    Browser U2F functionality is currently ONLY Chrome 38+, isn't integrated (it's an extension, yech), and doesn't always work (especially in 38 for me, not sure why). I have not tested portable Chrome.
    Although there is a work item for FF support, there isn't more info I can find. Nor are there any commitments from MS to put the support into IE (although MS are a Fido member).
    The YK nfc support does not work with Apple iPhones because Apple has not opened up the nfc stack, plus they would need browser support for U2F. Apple seem intent on biometric authentication, at least for iPhone and associated services including payment.
    The YK NEO devices require configuration with the personalisation tool to work, the U2F is not available by default. In addition, the current personalisation tool doesn't allow concurrent OTP, certificate and U2F services to run simultaneously without some manual tweaking - the next release of the personalisation tool is supposed to fix this.
    There are very few supporting sites - currently Google authentication is the only major one. LastPass supports OTP at this point using YK.
    Although application development support could be added, there are few samples, SDKs or libraries for that.
    So - pretty much the equivalent of a Beta right now, just right for Wilders!
    While Google's alternative authentication functions are pretty rich, they are a privacy problem, because you have to hand over your mobile phone number in order to register your U2F devices; even if they claim the phone number's only used for that purpose, I personally find that destroys a lot of the privacy benefits of U2F.
    Google's alternatives are always available - if someone has your phone and password/pin, they can get in, key or no key. Therefore, there may be a weakest link thing here. The same is true for application support if you enable that - if the strong application password (e.g. for Outlook) is compromised, an attacker can pick up your email if exposed that way, without needing a key. Also, if you mark the computer as trusted, you are in, and it does not require key presence - by contrast, with LastPass where you can trust a computer account, but it still checks the key, which is much better.
    Currently, authentication requires operator presence via key press (which is good in some ways and no big deal), though it is supposed to be possible to make the server accept automatic authentication in case of key presence.
    Adding U2F support to your website is not straightforward, particularly if you want alternative keys and recovery.
    You DO have to trust the U2F key provider, and the (hopefully limited) certificate chain derived from each vendor. I do not know the revocation mechanism that would be used by FIDO, nor their ability to detect rogue certificates. I haven't evaluated the whole U2F security and threat model.
    In addition, the principles of BadUSB might be applied to rogue U2F keys, because they naturally operate as HID. There could "easily" be hidden code in such things to emit arbitrary keystrokes aka BadUSB to the host OS. Or, because they have privileged access (apparently) to the page content, they could do nasty things there? And this is a particularly attractive target because those actually using U2F are definitely likely to have sensitive data.
    YK make their U2F keys in the US (at least some of them) - home of NSA interception and modification (noting that the same problem may be true elsewhere)
    U2F has only had limited operational exposure and validation. Although Paypal, Mastercard and MS are Fido members, there are no current announcements about their site support. Fido standards do support biometric devices, including the forthcoming UAF standard.
    This form of 2FA is inherently "in-band", which is both good and bad in comparison with out-of-band approaches.
    We cannot say whether U2F will escape the limited adoption and 2FA babel trap that so many other standards have fallen prey to.
     
    Last edited: Nov 3, 2014
Loading...