So I ordered a FIDO U2F Security Key from a French company ‘Plug-Up’ to have a little play. It is used in 2-factor authentication so when logging in to a service you first enter your username and password and if correct your are prompted for your second factor (a code sent by SMS or a security key). Unpacking and setting up the key was very straightforward although on Linux I had to add a udev rule (see below) for the device. Also this is for Chrome (& Chromium) only so Firefox won’t work.
I logged in to Gmail and visited the 2-factor security settings and clicked the tab for ‘Security Keys’. Clicked the ‘Register’ button and then inserted the security key into a USB port on the computer.
I can now keep the security key in my wallet and when logging in to my Google account from a new computer I can use the security key as my second factor. I wanted to know what would happen on a mobile device when a USB port is not available and it dropped back to using an SMS code (see below):
Will this security key replace a code sent by SMS? I don’t think it will for me when using Google services but there are some scenarios that might benefit from using a hardware key such as this.
Interestingly there are libraries for many languages to help developers use this form of 2-factor authentication for their own apps – including one for PHP.
UDev Rule
On Linux I had to add a udev rule as described on the suppliers website:
sudo gedit /etc/udev/rules.d/10-security-key.rules
I added the following:
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", MODE="0660", GROUP="jonny"
Then ran the following:
sudo udevadm trigger
Greetings Jonny,
While SMS codes is a good enough second factor for most authentication needs, I prefer FIDO U2F / FIDO UAF because of the following:
1) FIDO U2F / FIDO UAF is more than just a second factor authentication. It is also designed to effectively prevent phishing using public key cryptography. The FIDO device is actually a certificate mint.
2) Using SMS for authentication becomes problematic when one is travelling and using a local SIM on the phone. Then they can not get the SMS codes.
Saqib
Hello: Is it possible to use U2F in Chromium? As far as I know, U2F is only compatible if using Google Chrome. Thanks.
I have just tested on a fairly new install of Ubuntu and the security key worked when using Chromium to log in to my Gmail so this does not look to be Chrome-only.
Whilst I haven’t tested on Linux yet I have extensively tested both hardware tokens and FIDO keys and both are have their advantages (especially over SMS style authentication).
If I were to express a reservation it would be that USB based devices do have the security drawback that a compromised key could either infect or destroy a system that is connects to, but overall these are a very useful addition to the security arsenal and I am glad to see them being used in Linux environments.