Yubico FIDO U2F Security Key

A security product review by Bobulous.

Passwords are (IMHO) still the strongest single mechanism for protecting access to a private system or resource. But determined phishing campaigns by online criminals mean that even good passwords can be snatched from you, sometimes without your realising it until a lot of damage has already been done. Two-factor authentication is one way to make it harder for sneak thieves, because once you enable two-factor authentication on an online account, both your password and possession of a separate token are required in order to get into that account.

photo: The Yubico FIDO U2F Security Key, a plastic rectangle of light blue plastic, with an inset golden disc marked with a key symbol, and golden metallic contacts at the end which goes into a USB port.
The Yubico FIDO U2F Security Key fits nicely onto your key ring.

The Yubico FIDO U2F Security Key is a simple USB token which can be used as a "second factor" in two-factor authentication for certain online accounts, including GitHub, GitLab, Bitbucket, Facebook, Dropbox, Google Account, and Salesforce. Any site which supports the FIDO Alliance U2F protocol should accept the Yubico FIDO U2F Security Key as a token.

Using the FIDO U2F Security Key

In theory using the FIDO U2F protocol is as simple as logging into your account, enabling two-factor authentication, inserting your Security Key into a spare USB port, and then registering it to your account. Next time you login from an unfamiliar browser, machine, or location the online account will ask you to insert your Security Key (after your password) to prove that it's really you. The Security Key features a little touch-sensitive circle on its side which acts as an activation button, so only when you lightly touch this button does it respond to an authentication request.

Browser support

In practice, though, there are a few snags. Firstly only certain web browsers currently support the FIDO U2F protocol. My preferred browser, Firefox, is still debating how and whether to add support for this protocol, so right now the Yubico Security Key is of no use to me at home. Those of you who use the latest version of the Chromium, Opera, or Chrome web browsers will find that FIDO U2F is already supported.

Mobile phone still required

Secondly, the online accounts which accept FIDO U2F tokens for two-factor authentication, such as Google Account, Dropbox, Facebook, and GitHub, seem to force you to register a mobile phone number or smartphone app to your account before you're allowed to register your Security Key. For example, Google Account allows you to register a mobile phone, then register a Yubico FIDO U2F Security Key, then remove your mobile phone from the account. But by then they've got your mobile number, and there's no chance that they'll ever delete that information from their records. Seeing as a FIDO U2F token works perfectly well on its own to provide a second step in two-factor authentication, I see no good explanation for the requirement to register a mobile phone first.

The site operators are likely to argue that your mobile phone is required as a backup in case your Security Key is lost or stolen, or stops working. But any decent website which supports FIDO U2F will also allow you to generate "recovery codes" (described below) as an emergency fallback. And given that you are likely to travel around with your mobile phone and Security Key together, possibly even in the same pocket, then the risk of both getting lost at the same time is too high to make the mobile phone a reliable fallback option. So the requirement to share your mobile number with these websites seems unreasonable.

Operating system support

Third snag: if you're using an older version of Linux then the operating system may not support your Yubico token by default. On my office machine (running Kubuntu 14.04 LTS) I had to ask the company sysadmin to investigate, and only after he had added custom udev rules (available from the Yubico support page how can i set up my linux system for use with u2f?) was it then possible to use the Security Key without receiving an error.

Windows 10 does support FIDO U2F, but I can find no mention of earlier versions of Windows, so check carefully if you're clinging to Windows 7.

But if you're using a supported browser, on a modern operating system, and don't mind giving away your mobile phone details to a site that does not really need them, then you should find the Yubico FIDO U2F Security Key easy to use.

Warning about two-factor authentication

Be aware that once you enable two-factor authentication on an account, you could find yourself in real trouble if you then lose the physical token (be it your Security Key, or your mobile phone) which you have registered as the second factor. For this reason, any good two-factor system will make it possible to generate "recovery codes" or "backup codes" which you should store safely (in encrypted storage, somewhere physically secure) so that you (and only you) can gain access to them if your standard second factor is lost or stolen (or simply develops a fault). Make sure you do not store these recovery codes on your mobile phone, otherwise you'll lose the lot if the phone goes missing. Be aware that Google Account does offer "backup codes" but does not generate them unless you ask it to.

Another, fairly unsubstantiated, warning is that Google have disabled my Google Account and I suspect that the reason is that I was experimenting with different two-factor authentication options, adding and removing the Yubico FIDO U2F Security Key (because I discovered it doesn't work in Firefox) and other second steps such as backup codes and Google Prompt. My best guess is that all of this changing of security settings caused an alert to be automatically generated which caused my account to be disabled. But I don't know because Google reportedly never confirm the exact reason for disabling a person's account. So be careful before you start playing with two-factor authentication in a Google Account, and make sure to download all of your Google Account data to your own hard drive before you start making changes.

Evaluating the Yubico FIDO U2F Security Key

This device is a compact and simple option for two-factor authentication, and it works well so long as your OS and web browser already support the FIDO U2F protocol. And enabling two-factor authentication will greatly reduce the risk of a phishing scam seizing control of an online account.

But the seeming insistence of big websites that you first give them your mobile phone details does greatly reduce the value of using another physical token. Once you've setup your mobile phone as a second factor, there's not actually any need to own or use a physical USB token as an additonal factor. And those who object to giving up their mobile phone details don't seem to be given the option of simply using just a USB token instead.

So you might reach the same conclusion that I have, which is that until website operators allow two-factor authentication to be setup using just a USB token (plus support for recovery codes), then there's little point in purchasing a Yubico FIDO U2F Security Key or any other such token.

Update

September 2017

The Register report that the SS7 protocol used by SMS is insecure and this can be used to hack into online accounts which are verified by text message. This is another reason why online accounts should never force you to register a mobile phone number in order to setup two-factor authentication.