
GitHub supports Universal 2nd Factor authentication - mastahyeti
https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication
======
moreati
A few U2F details worth mentioning

Browser support is currently limited to Chrome, and possible Windows Edge*

For now it only works with USB. Bluetooth and NFC specs are out, browser
support is the bottleneck

The protocol is public/private key based, with the private key strongly
encouraged to be in tamper resistant/evident storage.

The protocol is authentication method agnostic. It doesn't care if you use a
USB key, a retinal scan, a pin or divination.

You could write a software only authenticator if you wanted, but servers could
detect that (and reject it if they chose to) through the attestation
certificate you provided. You can't pretend to be a brand X authenticator,
because only company X will have the private key(s) matching the attestation
certs to sign (batches) of model X authenticator.

Yubikeys are just one implementation of a U2F authenticator. In theory GitHub
now works with any present/future authenticators that talks U2F (modulo
browser support) e.g. an iPhone+TouchID+NokNok SDK, a Pebble watch+app, an
Android Phone+$your_app, an NFC implant, m-of-n wearables

* Microsoft announced something U2F related for Windows 10, I never got to the bottom of what exactly

For more detail I did a talk at EuroPython this year
[https://moreati.github.io/passwordspain/#/](https://moreati.github.io/passwordspain/#/)
[https://www.youtube.com/watch?v=YSTsgldazSU](https://www.youtube.com/watch?v=YSTsgldazSU)

~~~
Rafert
Thanks for the link to your presentation. I'm currently implementing this in a
Rails app and had a bit of a hard time to grok U2F with only the info from
Fido site. Your talk will make it easier for my colleagues to understand U2F
:)

~~~
moreati
Have you seen
[https://github.com/castle/ruby-u2f](https://github.com/castle/ruby-u2f)? As
linked from
[https://developers.yubico.com/U2F/Libraries/List_of_librarie...](https://developers.yubico.com/U2F/Libraries/List_of_libraries.html)

~~~
Rafert
Yes and I am using that. Thanks!

------
j_s
If you want to try for one of the 5,000 $5 Yubikey with everyone else
currently killing the server...

1) sign in with github at: [https://www.yubico.com/github-special-
offer/](https://www.yubico.com/github-special-offer/)

2) buy now: [https://www.yubico.com/github-special-offer/github-
yubikey-s...](https://www.yubico.com/github-special-offer/github-yubikey-
special-offer/)

3) checkout:
[https://www.yubico.com/checkout/](https://www.yubico.com/checkout/)

Once you complete one step successfully you should be able to skip to the
next. Good luck vs. the 504's!

~~~
_kst_
The second link is now giving me "yubico site under maintenance". Same for
[https://yubico.com/](https://yubico.com/)

~~~
larssorenson
I got 'down briefly for scheduled maintenance, please check back in a minute.'

Scheduled? Yeah right.

------
gbraad
"Note: FIDO U2F authentication is currently only available for the Chrome
browser." [https://help.github.com/articles/providing-your-2fa-
authenti...](https://help.github.com/articles/providing-your-2fa-
authentication-code/#using-a-fido-u2f-security-key)

~~~
JamesBaxter
Here's the issue for the feature in Firefox
[https://bugzilla.mozilla.org/show_bug.cgi?id=1065729](https://bugzilla.mozilla.org/show_bug.cgi?id=1065729)

~~~
zobzu
Yeah this stuff won't be "universal" until at least all browsers support it...
which would be GREAT

------
nikolay
You can still order:

1\. Go to [https://www.yubico.com/github-special-
offer/](https://www.yubico.com/github-special-offer/)

2\. Add the special edition security key to cart

3\. Apply the "GITHUB" coupon

4\. Check out

Once you get it, don't forget to also use it with Dropbox and Google, which
both predate GitHub in the U2F support. If you know any other provider,
comment below, please!

~~~
imrehg
Looks in the meantime it was overwhelmed, only 1 hour since your post.

> We are experiencing difficulties and the GitHub Special Offer is temporarily
> unavailable. We are working hard to fix the issue and appreciate your
> understanding.

> Keep an eye on Twitter (@yubico) for updates on when we will have the GitHub
> Special Offer available again.

------
IgorPartola
This is fun:

    
    
      Notice: load_plugin_textdomain was called with an argument that is deprecated since version 2.7 with no alternative available. in /nas/wp/www/cluster-50027/yubico2/wp-includes/functions.php on line 3510
      Notice: Use of undefined constant WOOCOMMERCE_VERSION - assumed 'WOOCOMMERCE_VERSION' in /nas/wp/www/cluster-50027/yubico2/wp-content/plugins/woocommerce-wootax/woocommerce-wootax.php on line 552
      Fatal error: Class 'WC_Payment_Gateway' not found in /nas/wp/www/cluster-50027/yubico2/wp-content/plugins/yubico-payment/yubico-payment.php on line 16

------
dankohn1
This seems less convenient to me than 2FA using Google authenticator. I always
have my phone with me. I don't want to bother bringing a USB key between home
and work.

Is a separate USB key meaningfully more secure?

~~~
jasoncartwright
I've used a YubiKey for 2FA for a year or so now. It just sits in my USB port
and it feels too convenient - steal my laptop and you get my key. At least my
phone has a PIN.

~~~
sandstrom
I think the (relatively) small overlap between knowing your password and
stealing your computer is important here.

Passwords are weak vs. many types of hacks, U2F is strong. And vice-versa
(easy to steal the Yubi-key + computer, but they still need the password).

------
mongol
Although I think Yubikey is great, I use Plug-Up key to test U2F.
[http://sk.happlink.com/plugup/en/](http://sk.happlink.com/plugup/en/)

It was cheaper but is more fragile, worked well to test it out.

Now when U2F is getting more support, I think I will buy a Yubikey with U2F.

------
drdaeman
Uh. U2F feels incredibly limited compared to PKCS#11 I really wonder why it
was chosen (and somewhat disappointed by the choice.)

With a smartcard that can hold an key pair, one can both authenticate (sign)
and encrypt messages, using a same single key (or multiple keys if wish for
multiple identities). With U2F all one can is authenticate, using a distinct
securely-stored PSK for each remote party.

~~~
superuser2
The infrastructure around smartcards is designed for one enterprise to pay
another enterprise millions of dollars to roll out Active Directory-based
authentication for a Windows domain with hundreds of thousands of users, for a
multinational corporation to roll out a payment card, etc.

A single hobbyist maintains an open-source tool that allows applets to be
loaded on to GlobalPlatform-compliant cards. It's pretty fragile and requires
some trickery and tribal knowledge. You have to hope some forum somwhere has
the unlock key to allow applet loading on whatever card you bought. Another
single hobbyist maintains a PKCS#11-compatible card applet, PKIApplet. It
requires a relatively modern JavaCard version and compatible JavaCards are not
always available for individual purchase in the U.S. If you're prepared to
_really_ get down and dirty with DIY trickery, you might manage to load
PKIApplet onto a JavaCard with GlobalPlatformPro.

Actually using it requires OpenSC, not a shining example of usability or code
quality. It requires specific drivers for different cards, each having
slightly different personalization procedures. Many of the drivers in it are
for cards that can no longer be purchased. PKIApplet appears to have a driver
in OpenSC but I haven't gotten an opportunity to test it yet. Much of the
tooling you'll find references to in documentation turns out to have expired
domains and abandoned SourceForge projects last updated 2002.

The OpenPGP route appears to be a little less sad than the PKCS#11 route,
since at least Yubikey maintains a modern OpenPGPApplet.

If your Fortune 100 company's CTO wants to play golf with Gemalto, smart cards
are for you. Otherwise, probably not. It makes sense that a modern _personal_
2FA solution would want to be free of all that legacy.

~~~
drdaeman
Makes sense. Enterprise shit is, indeed, terrible. However, I didn't mean
there is any reason to support every JavaCard out there and existing
(enterprise) software - and I suppose this is where it all really starts to
smell. On the other hand, they have designed a whole new standard, protocol
and devices.

I've edited this for quite long time and finally figured out what I really had
in my mind. I'm not disappointed it's a new standard or anything like this.
I'm disappointed by the fact that this stuff isn't extensible and nothing new
can be build upon this.

Not in a sense that no new software can be added to a token, but when you use
U2F you just have a means to prove you know some PSK. And that's it. Would the
token hold a keypair and use digital signatures instead, it could bring much
more possibilities in the long run. Like sending encrypted emails to the token
owners, or building a global identity system where identities are something
user possesses, not leases from the "identity providers".

------
philip1209
I like this because I keep a U2F Neo-n device permanently in my laptop USB
port. It's just more convenient for services that support it. In the future, I
would like to require it for employees on our app.

However, when I go into Github to turn it on (in chrome using U2F devices I
have already used with Google) it says "This device cannot be registered."
Even when I remove the device it says that. I'm disappointed that the feature
is not working.

~~~
co0nsta
I had this problem too, and it turned out my system wasn't configured
correctly. I had to download
[https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rul...](https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules)
to /etc/udev/rules.d and then udevadm control --reload-rules . Worked fine
after that. HTH.

~~~
co0nsta
Gah, just noticed you are using a different brand of device. Anyway, if you're
on Linux, poking around the USB stack might point to a solution. It did for
me.

------
buffoon
Just a warning with the yubikeys. I had to use a solution that had these for a
few months. The USB port of my laptop (2011 MBP) was pretty much worn out due
the physical insertion and removal - other stuff would just fall out.
Eventually this port blew entirely stopped working.

This is not specific to the MBP as a colleague's ThinkPad had the same
problem.

------
_kst_
The "Special Offer for GitHub Users!" link is giving me a 504 error (took too
long to complete).

[https://www.yubico.com/github-special-offer/](https://www.yubico.com/github-
special-offer/)

------
alexruf
Good to see that. Hope more services will support it also soon.

------
jnpatel
It's always exciting to see the list of services supporting U2F for 2FA grow.
It now includes Google, Dropbox, and GitHub.

~~~
zobzu
Duo also supports it.

------
DaveWalk
When will Amazon get U2F/2FA? I have heard it's good for AWS but what about
for us plebs who just buy stuff?

------
mike-cardwell
Sod the Yubikey. Get a Pebble Time watch and install the QuickAuth app. One
press of a button on my watch and I get a list of two factor auth codes for my
various services, now including Github. Doesn't require plugging anything into
my laptop. Doesn't require my phone to be near me or on. Doesn't require
Internet access.

~~~
danieldk
TOTP is vulnerable to phishing and MITM attacks. U2F (assuming that you are
not MITMed when registering the device) is not.

------
lovemetender
I would have used it if it used Google Authenticator.

~~~
danielsamuels
You've been able to use Google Authenticator with Github for years.

~~~
lovemetender
I dug through 2 links and found it, thanks for letting me know:

[https://help.github.com/articles/about-two-factor-
authentica...](https://help.github.com/articles/about-two-factor-
authentication/)

------
chedabob
I can't think of a single compelling reason to use this over Google
Authenticator.

~~~
sowbug
It's faster. No typing. No worry about malware stealing your OTP secret. It's
easy to revoke a single device if you lose it without having to change your
Authenticator secrets everywhere. And it looks cool.

~~~
minisu
Also, phishing and Man-in-the-Middle protection.

------
Animats
How do you know the YubiKey isn't going to attack your machine through the USB
port?

~~~
tokenizerrr
How do you know your mouse or keyboard isn't going to attack your machine
through the USB port?

------
dheera
I never understood the point of 2-factor authentication, and moreover, certain
agencies (e.g. banks) that force using it. Can't we just pick good enough
passwords?

Personally I hate being {attached to|associated with|being required to carry}
a particular piece of hardware; I much prefer that information freely flows
with me as I move between the various devices I interact with over the course
of a day.

There are many times I don't carry my phone around with me or do not wish to,
simply because I have a terminal that loads my personalized environment
everywhere I go. Information flows with me, not hardware.

~~~
jcoene
You're expressing a preference for convenience over security. The truth is
that most people pick bad passwords, and even good passwords can be cracked.

2FA with a physical component is generally the best way to achieve the goal of
"information flows with me". With a password only, you can more aptly describe
the situation as "information flows with anyone who knows my password".

~~~
dheera
In that case, can we do 2FA with something biometric? Or even 2 passwords?

A physical component has a lot of issues:

* It can be stolen or robbed at gunpoint. Torture, drugging, and hypnosis aside, your mind is much more secure.

* It can run out of batteries.

* It's one more thing you can lose. It's already annoying enough to have to remember to carry 7 or 8 things every day, including a phone, bike light, smart watch, tablet, battery pack, reusable utensils, and so on. I don't want to have to add more things to this list.

* It can be damaged by the elements.

* It can be difficult to give access to others who you _want_ to give access to.

* It may have security holes of its own, both in hardware and in software.

* When damaged or robbed, the user is highly inconvenienced, to the point that they are unable to access their own money/accounts/etc. How do get food, water, and get home from the middle of nowhere _after_ your wallet and phone have been taken from your person? With password-only methods, you could theoretically find a nearby public terminal, log in with a simple username and password, and get an ride/call a friend/file a report/do whatever you need to do.

* If it relies on cellular service, it may not work internationally if the user changes SIM cards or devices. For many that live near border towns and cross borders every day for work, this becomes a massive inconvenience.

~~~
mongol
The Yubikey does not run on batteries. It requires no cellular service. It can
be damaged by the elements but not easily. Most electronics would break before
it does. Of course you can lose it, but you can lose anything. Attach it to
something you care about, such as your regular keychain. If you want to give
access to someone, register a second key and lend that key to them. Then
revoke when they don't need it.

~~~
dheera
What if I don't want to carry keys around? My house door can be opened with a
password. I only need to carry myself.

