Fido U2F Security Key

So I ordered a FIDO U2F Security Key from a French company ‘Plug-Up’ to have a little play.  It is used in 2-factor authentication so when logging in to a service you first enter your username and password and if correct your are prompted for your second factor (a code sent by SMS or a security key). Unpacking and setting up the key was very straightforward although on Linux I had to add a udev rule (see below) for the device. Also this is for Chrome (& Chromium) only so Firefox won’t work.FIDO U2F Key Opening

 

I logged in to Gmail and visited the 2-factor security settings and clicked the tab for ‘Security Keys’. Clicked the ‘Register’ button and then inserted the security key into a USB port on the computer.

Google U2F Security Key

 

I can now keep the security key in my wallet and when logging in to my Google account from a new computer I can use the security key as my second factor. I wanted to know what would happen on a mobile device when a USB port is not available and it dropped back to using an SMS code (see below):

Android Screenshot 2 Factor Auth Google

Will this security key replace a code sent by SMS? I don’t think it will for me when using Google services but there are some scenarios that might benefit from using a hardware key such as this.

Interestingly there are libraries for many languages to help developers use this form of 2-factor authentication for their own apps – including one for PHP.

UDev Rule

Linux dmesg Fido U2f security keyOn Linux I had to add a udev rule as described on the suppliers website:

sudo gedit /etc/udev/rules.d/10-security-key.rules
I added the following:
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", MODE="0660", GROUP="jonny"
Then ran the following:
sudo udevadm trigger

 

 

4 Responses to “Fido U2F Security Key”

  1. Saqib Ali

    Greetings Jonny,

    While SMS codes is a good enough second factor for most authentication needs, I prefer FIDO U2F / FIDO UAF because of the following:
    1) FIDO U2F / FIDO UAF is more than just a second factor authentication. It is also designed to effectively prevent phishing using public key cryptography. The FIDO device is actually a certificate mint.
    2) Using SMS for authentication becomes problematic when one is travelling and using a local SIM on the phone. Then they can not get the SMS codes.

    Saqib

    Reply
  2. Lucas

    Hello: Is it possible to use U2F in Chromium? As far as I know, U2F is only compatible if using Google Chrome. Thanks.

    Reply
    • jonny

      I have just tested on a fairly new install of Ubuntu and the security key worked when using Chromium to log in to my Gmail so this does not look to be Chrome-only.

      Reply
  3. Jeff Brixhamite

    Whilst I haven’t tested on Linux yet I have extensively tested both hardware tokens and FIDO keys and both are have their advantages (especially over SMS style authentication).

    If I were to express a reservation it would be that USB based devices do have the security drawback that a compromised key could either infect or destroy a system that is connects to, but overall these are a very useful addition to the security arsenal and I am glad to see them being used in Linux environments.

    Reply

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>