Fun and Games with U2F Keys and Linux

I have a strong dislike of the Google Authenticator app for Two Factor Authentication. Wired and NIST (and by implication Schneier) recommend against SMS 2FA (I admit I didn't read these articles as I was already aware of the recommendation). So I recently ordered two U2F (Universal Second Factor - an open standard) keys from Amazon:

HyperSecu USB key and Yubikey

The Yubikey is far better known and kind of the de facto standard. They cost $24 at amazon.ca. As an experiment, I purchased a HyperSecu key as well: it was only $10, physically smaller (although thicker), and has a physical button that the comments suggest a lot of people prefer over the Yubikey capacitive touch "button" (which doesn't move at all and has no "feel"). It's not visible in the photo, but the HyperSecu does have a keychain hole: it's plastic and appears less sturdy than the Yubikey - time will tell. One annoyance: the cap for the HyperSecu you see pictured above can only go on one way. Flip it 180 degrees and it doesn't sit properly ... how stupid is that? Not that it really matters: if this goes on your keychain as it's meant to, you'll lose the thing in a week anyway since it's not physically connected.

The first big discovery of this adventure was the solution to a problem I'd been wondering about: what happens if you lose your U2F key? The answer is that when you register for 2-factor with GitHub, they give you a rack of eight or ten one-time codes to print and file. But don't mess it up: if you don't bother with those codes AND you lose your key, they won't unlock your account. You're done. What makes this particularly interesting is that our dear friends at Hover don't have recovery codes: they have a reset function to mail the controlling email account. GitHub's method is unquestionably more secure. With GitHub, it's necessary to turn on 2FA first with either the Google Authenticator or SMS. I used Authenticator. Then under your account -> Settings -> Security -> Two-factor authentication -> Edit, you can register a key. This turns out to be surprisingly easy: when asked, you insert and press the button. I was more surprised to find that I could then register the other key. Which means that when I log in, I can now use any one of three second factors after my password: Google Authenticator, or either of the U2F keys. This seems like further good insurance against ever having to fall back to those one-time security codes I printed out.

There are several current problems with U2F, mostly related to it being a new protocol. The most annoying is that it only works in Chrome and Safari (if you're on Linux that means "just Chrome"). U2F is in the pipeline for Edge and Firefox. Firefox can apparently use it with the addition of a plugin, but that seems like a step backwards for your security so I haven't tried it. Another problem is Ubuntu Xenial (16.04) doesn't recognize the HyperSecu key so I can't use it with GitHub (no problem with the Yubikey). On the other hand, it worked just fine under Fedora TwentyFour. Although in both cases the device goes unidentified by the lsusb command - it shows up, but there's no text following the ID number to identify the manufacturer or the device type. The Yubikey is identified correctly.

Now I get to find out how well the Yubikey fares attached to my keychain, and how annoying it is to have to pull it out to authenticate. I hope to report back in about a week - and likewise on other services I can get to use the key(s).