
Why Johnny Doesn’t Use Two Factor – A Study of the FIDO U2F Security Key [pdf] - eaguyhn
https://fc18.ifca.ai/preproceedings/111.pdf
======
Tomte
Why I‘m using my three or four U2F keys rarely: almost nobody supports them.

Yeah, Google, GitHub, Facebook.

But my bank doesn‘t. My insurance companies don‘t. My broker doesn‘t. It‘s all
very sad.

~~~
dijit
Recently I tried adding U2F support to my chat bot. It was so complicated and
I couldn’t find comprehensive documentation for it so I gave up.

Admittedly, the chat bot is a hobby project so I was only looking for a couple
of weeks in my spare time, maybe I “looked wrong” but everything I found was
focusing on clients and rarely on servers.

~~~
tialaramex
The MDN docs look adequate to me.

You do need to go into this either understanding what's actually going on or
open to just being told what to do rather than trying to plug it into a model
you have from, say, using password authentication.

Your code (typically JavaScript) running on the client is going to feed input
from your server (getting it to the client is your problem, inline it in the
HTML, read it from a WebSocket, whatever) into this API and get back a result.
The result needs to go to server - again how you do this is up to you. The
server verifies stuff, I guess that could be handled in a library or
something, and then you've authenticated the user, done, set a session cookie
or whatever.

------
jiveturkey
Title (original from TFA) is very misleading. The study is too late in the
process of setting up 2FA. No one in the study was motivated to set up 2FA in
the first place. This is "merely" a UX study that benefits Yubico. It doesn't
address (at all) why people do or do not want 2FA in the first place.

To use my own insight: regular joe does not want to buy an expensive product
and install some hardware. (the "cheap" $20 ones are literally worse than
useless. but even $20 is too much.) 2FA's future is in touchID (integrated
into touch bar on mac) and push to a phone app. The latency of push to a phone
app is more acceptable than the confusion and vagary around adding an
expensive usb key that you don't understand and then doesn't work on your
mobile anyway.

~~~
mvanbaak
"then doesn't work on your mobile anyway." The yubikey neo works perfectly on
your mobile, as long as it has NFC support.

~~~
javagram
U2F through the yubikey doesn’t work on iOS devices because iOS NFC is only
1-way outside of Apple Pay.

~~~
jacquesm
I hate private APIs. There ought to be a law that vendors can only use public
APIs.

------
Adutude
This article is good as far as UX goes. Myself, I love my Yubikey. I use it to
store my ssh keys, then tunnel them using ssh-agent/gpg-agent, something along
the lines of this article. [https://www.bootc.net/archives/2013/06/09/my-
perfect-gnupg-s...](https://www.bootc.net/archives/2013/06/09/my-perfect-
gnupg-ssh-agent-setup/) and this article
[https://wiki.gnupg.org/AgentForwarding](https://wiki.gnupg.org/AgentForwarding).
It's set up so that you have to have the key to get into the bastion host
first, then you have to tunnel your key through the bastion to get to the
other side. If you remove the key it breaks your connection. A good way to ssh
w/out having your private keys sitting on a disk.

------
Hnrobert42
A usability study prsented in a pdf that is quite difficult to read on mobile.
Funny.

------
throwawaymanbot
Johnny does not want to use a physical FIDO U2F security key, because he
regularly loses his phone and regular keys, and does not like to think about
losing his entire digital life because he mislaid this FIDO U2F key.

