Yubikey 2fa

Two-factor authentication is generally seen as the golden solution to all security problems. At least that's what I heard. So when Github sold U2F YubiKey I bought one. This is now 1.5 years ago, obviously I tried to use it, but the U2F YubiKey didn't work. Later I even bought an YubiKey NEO which I played around a bit but I also failed to get it working. Maybe I was just to stupid maybe my browser was to old or something else.

YubiKeys

If you don't know what 2FA is here is the wikipedia definition:

Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication.

Or as I like to describe it something you can forget and something you can lose. And since all the cool kids still use 2FA I thought I could try that again. And it worked surprisingly well. So I tested it with Github and the Chrome Version 57.0.2987.133 (64-bit) on my Fedora desktop. The first step is to enable 2FA and add the Google Authenticator. Then you should print/backup your recovery key. Now we are almost done and we can name our Key by simply clicking on 'Register new device' and touching the YubiKey device. Which didn't worked since neither my user nor my group had access to the hidraw device which the YubiKey is. So to fix this I added a simple udev rule (you should change l33tname to a group your user is in):

sudo echo 'KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", GROUP="l33tname", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120"' > /etc/udev/rules.d/70-u2f.rules

With this everything worked flawless. So I thought it would be cool if that also works in Firefox (Firefox 52.0 (64-bit)). Firefox itself doesn't support U2F but there is a plug-in for it the: u2f-support-add-on.

Update: Firefox works with U2F by default (and the plugin seems to be gone):

The latest version of Firefox supports FIDO2 and U2F keys: FIDO2 has been supported since version 66.0.32.

U2F has been supported since version 57, but only enabled by default from version 68 onwards. source

And now U2F works also in Firefox.

service Phone number required U2F support
github no yes
twitter yes no
tumblr yes no
google yes yes

So of the services I tested only Github does what I want. I can connect the google authenticator as backup 2FA and can use my YubiKey as primary 2FA. Google is also not bad since you need the phone number only to enable 2FA. But Google doesn't allow you to use your YubiKey on Firefox which is annoying. On the other hand it was super simple to use my YubiKey on Android with NFC. Tumblr has a great blog post about U2F but it's not implemented which is sad.

In conclusion it's simple to use U2F and some services have a good support for 2FA, but there is still a long way to go.