
Soft U2F: A software-based U2F authenticator for macOS - darwhy
https://githubengineering.com/soft-u2f/
======
madamelic
Can someone explain how this is an improvement on phone-based, non-SMS 2FA?

This solution seems ripe for exploitation by putting your passwords (if you
store your passwords on your computer) and 2FA on the same machine.

~~~
jdc0589
on an unrelated note: can someone explain why SMS based 2FA was every
considered to be a good idea? That crap drives me NUTS.

~~~
stephengillie
It feels inherently insecure to blast a 2FA code across every device where
you've got Hangouts installed. (And if you've got Hangouts installed on the PC
where you're logging into, then it's not 2FA anymore.)

~~~
kbenson
> It feels inherently insecure to blast a 2FA code across every device where
> you've got Hangouts installed.

I think that may be Project Fi specific. To my knowledge, Hangouts doesn't do
SMS anymore except for Project Fi customers, and even prior to them forcibly
removing SMS handling from Hangouts on my Samsung and telling me to find
something else after an update, it never synced SMS messages it to other
Hangouts instances.

------
cntlzw
U2F is great and you can get a physical device for around $15. I wish banks
and such would adopt U2F sooner than later. They could just sent U2F tokens as
giveaways.

Big downside: Apple and Microsoft. They don't support it in their browsers. No
browser support, no U2F.

~~~
bostand
safari and edge users are a tiny minority. Most security aware people use
chrome anyway.

~~~
ohthehugemanate
Really, you think security aware people use Chrome? The security aware people
I engage with avoid it. The baked in data collection and telemetry are a
concern for them. Some of them even remember specific problems, like that time
it turned out Chrome was listening on your mic all the time, and sending the a
audio back home.

The security conscious people I know use Firefox or chromium.

Of course, your point stands: no one's using safari or edge. :)

~~~
dogma1138
You always have chromium also don't confuse security awareness with privacy
concerns.

Chrome is more secure this means that you have less of a chance having your
data compromised including any and all data on your machine by an unknown 3rd
party. Since Chrome's data collection is known it can be incorporated into a
simple threat model. You know what is collect and who collects it, most
security aware people will be OK with Chrome collecting some metrics that in
all fairness are likely to be collected anyhow unless they block every
JavaScript and Cookie on the planet, do no use any Google service or a service
that uses GA in exchange for not having to worry about their browsers being
pwned.

------
atonse
To Github people: I ordered your yubikey token but stayed away from U2F out of
fear that I'd be locked out if I lost the hardware token.

But I didn't realize you could setup U2F and TOTP as a backup.

~~~
tptacek
Not only can you do this, but the major services won't even let you set up U2F
without a backup factor.

The best current Google auth stack, by the way, is:

1\. U2F

2\. Phone-based authenticator app (TOTP)

3\. Password-manager password

4\. Printed codes

5\. DISABLE SMS. (Google forces you to enroll in SMS to turn on 2FA; you can
simply delete your phone number after enrolling everything else).

~~~
rcthompson
Thank you for letting me know that SMS authentication is not mandatory for
Google accounts! I assumed it was for the reason mentioned in your comment.

------
Rjevski
What's wrong with client certificates? Instead of reinventing the wheel they
should've just used those which would've given browser vendors a reason to
improve their UX regarding client certs.

~~~
ptoomey3
That is roughly all U2F is. It is a per-origin key pair that is registered
with each site and used to sign challenges. At some point browsers themselves
might implement something like Soft U2F, at which point, they basically will
have "improved the UX of client certs".

~~~
Rjevski
The advantage of client certs over U2F is that client certs use the same
proven mechanism your browser uses to verify the server's cert, and can even
be handled by the web server. It's also seamless for the user - if needed you
can be logged in right from the first request. U2F needs to be implemented
over the top in the app itself and the login process is at the minimum two
steps (no way to login from the first request).

------
jdeibele
Somewhat disconcerting to see this in Chrome:

Attackers on github-production-release-asset-2e65be.s3.amazonaws.com may trick
you into doing something dangerous like installing software or revealing your
personal information (for example, passwords, phone numbers, or credit cards).

------
philip1209
Until Yubikey releases a USB-c version of their nano, I think I'll use this.
Since I've had to transition to a keychain U2F device instead of one I can
leave in my laptop, I find myself using it far less.

~~~
sowbug
I'd expect the U2F protocol to be built into secure elements on laptops before
a Type-C Nano comes into existence.

USB-C ports are too precious to keep them filled all the time with an
authentication device, and there doesn't seem to be enough room in the male
side of the Type-C coupling to allow the necessary circuitry to exist in a
slim form factor. Both these problems are solvable, but meanwhile secure
elements are already shipped with many laptops.

(An assumption of this comment is that the Nano is kept semi-permanently in
the laptop port. That's what the Nano is indeed designed for.)

~~~
drodgers
Honestly, I don't know why Apple don't implement U2F on the secure enclave
(activated via the TouchId sensor); it seems like such an obvious move.

Maybe they're trying to get iCloud and Safari support all ready to release at-
once?

~~~
hdhzy
Wow, great idea!

I think Web Authentication will slowly make U2F obsolete, in a sense that U2F
will become one of many authentication methods, others could also be
implemented. Checking WebAuth specs one can see references to Android
attestation, TPM attestation so generally secure hardware elements.
Implementing a U2F solution would require emulating USB exchange I guess.

Of course U2F still has an advantage that you can take your token and
authenticate on a different device but unfortunately newer Yubikeys do not
support U2F over NFC and there are not so many other solutions.

------
bugmen0t
You don't really[1] need to install this, if you're using Firefox. Just set
the prefs 'security.webauth.u2f' and 'security.webauth.u2f_enable_softtoken'
to true.

[1] (Unless you need the token to live in your Mac OS keychain, instead of the
Firefox profile directory.)

~~~
mastahyeti
My understanding is that the FF softtoken was intended to be temporary while
they worked on their HID support. That might not be the case any longer
though.

~~~
ilikepi
Yeah, the software token was only intended for testing purposes.[1] HID
support is supposedly a goal for later this year.[2] There is also a third-
party(?) add-on for hardware token support[3], but apparently it will stop
working with FF 57 as it not was not written for WebExtensions.

(Disclaimer: not affiliated with Mozilla; I just check in on bug 1065729 every
so often.)

[1]:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1065729#c262](https://bugzilla.mozilla.org/show_bug.cgi?id=1065729#c262)

[2]:
[https://wiki.mozilla.org/Security/CryptoEngineering#Web_Auth...](https://wiki.mozilla.org/Security/CryptoEngineering#Web_Authentication)

[3]: [https://addons.mozilla.org/en-
US/firefox/addon/u2f-support-a...](https://addons.mozilla.org/en-
US/firefox/addon/u2f-support-add-on/)

------
djrogers
This seems a little restrictive if it doesn't have some sort of 2FA
alternative, like a mobile TOTP app or something. I'd hate to be locked out of
any accounts for losing my MacBook, or to be unable to use the accounts from
mobile or a different platform.

As a secondary/simpler 2FA alternative I like it, but the description here
doesn't do much to explain how to get around the problem of only having this
available on my macs.

~~~
elchief
the solution for actual U2F tokens is to buy 2 and put one in a safe deposit
box. not sure what the solution is for software version

~~~
noja
Wouldn't work. Too inconvenient. What if you need to add another account? Go
to the safe deposit box, create the account, then take it back again?

------
petee
This seems misguided - it is watering down a decent system simply to appease
and attract people too cheap to buy tokens; if 2fa is something that is so
important to you, and you need it, just buy the damn tokens!

A vague comparison, would be me selling pre-printed 'random' passwords on
paper because a user generating their own was 'too difficult'

IMHO, soft token u2f is only useful for testing, development, and personal
entertainment

~~~
ptoomey3
What is the attack scenario you feel a hardware token protects you against
that a software token will not (for the use cases U2F was designed for)? Sure,
hardware tokens prevent malware from actually lifting your private keys. But,
to steal your software private keys you likely need malicious code running on
your computer. And, once an attacker has that, it is largely game over for all
intents and purposes anyway. They can ask your hardware token to sign bogus
requests, steal your passwords, etc. Sure, with a hardware token you can wipe
your machine and feel semi-confident that you get to keep your private keys.
But, really, once your machine has been compromised and you wipe it, setting
up new private keys sounds like a wise practice regardless. I'm not arguing
that hardware tokens have zero use. But, for most users, the attack model
where hardware tokens shine is likely not of value to them.

~~~
nicpottier
I may be mistaken (and I'm sure someone will point out if I am) but I think
most hardware U2F tokens require you to physically press something on the
token to validate that it should pass over your keys.

The soft U2F solution presented here still prompts you, but it is easier to
imagine the software being modified/owned on a compromised machine than then
hardware token being hacked in such a way as to hand over the keys without a
physical press.

~~~
ptoomey3
Once you have malicious software running it is largely game over. Sure, the
hardware token can require a press..but once pressed what challenge is being
signed? Malware can just wait and send a challenge for Site A when you are
actually trying to sign into site B. Or, the malware can just wait until you
login and steal your browser cookies. Oh, also, Soft U2F can require a similar
physical touch if you have a mac with Touch ID.

~~~
tscs37
Atleast for my u2f token, I'm being shown the site I'm signing for on a
hardware screen.

~~~
mastahyeti
Which device are you using? With U2F, the browser doesn't send the name of the
site to the authenticator.

~~~
tscs37
I'm using Trezor, I believe it has been preloaded with certain websites so it
knows Github and Google and the likes.

It also shows parts of the public key (or so I believe, it is a unique
identifier) per website.

------
sly010
I don't see anyone mentioning that Google won't allow you to use U2F anywhere
but on Chrome. E.g last time I tried I couldn't log in using Firefox even if I
installed the plugin. [0]

[0]
[https://productforums.google.com/forum/#!topic/gmail/IwKFuNh...](https://productforums.google.com/forum/#!topic/gmail/IwKFuNh0mh8)

Edit: link

------
ianopolous
I've been looking into 2FA on Github and I don't understand why you must have
either SMS or TOTP (typically a mobile app) as the primary second factor. Why
not let users go straight to a yubikey? I don't want my mobile involved in the
process at any point. You also can't remove the TOTP factor once you've added
a yubikey, so yubikeys are 2nd class citizens, despite being much more secure.

~~~
ptoomey3
The primary reason is exactly the reason you cited (u2f support is not
ubiquitous across browsers..especially mobile). We may consider allowing folks
to use u2f exclusively in the future, but we started conservatively given the
already risky proposition of account lockout with regular 2FA.

~~~
ianopolous
Thank you for clearing that up. Personally, I'm more likely to lose my phone
or have it brick itself (happened to my previous phone) than to lose a
yubikey.

------
re1man
Extension version with similar functionality:
[https://chrome.google.com/webstore/detail/keyless-u2f/bhgbpf...](https://chrome.google.com/webstore/detail/keyless-u2f/bhgbpfmmjenlapdolpeijifcedhcogne).
Works with Mac + Windows. Amazing to see more soft solutions for U2F.

------
chaz6
The benefit of U2F to me is that it is a hardware token. I would never use a
software token when I can use a hardware token.

------
mkj
The kext shouldn't be necessary for a Safari and Firefox plugin. Is it just
there to fake a u2f usb device for Chrome?

------
mongol
U2F adoption seems quite slow. Google were in early, and later github and
Dropbox. But since then? Feels like nothing happened.

~~~
Freak_NL
Cost is the major problem, with a couple of technical/deployment issues.

The technical/deployment issues to me are the lack of browser support (that
means Edge, Firefox, Safari, etc.), the long and slow migration from USB-A to
USB-C, and the missing parts of the mobile puzzle. With the latter I mean U2F
support for Bluetooth Low Energy (BLE) and NFC on (at least) smartphones.

Ideally, you could visit some secured website on your smartphone, choose to
authenticate with Fido U2F, tap your U2F key to the phone, and authenticate
with it using BLE or NFC. The same key can be used on a laptop or desktop
computer as well using USB.

Those devices will exist (or already exist perhaps), but they will cost a lot
more than the plain USB-A U2F keys available now for roughly $15.

To drive adoption, ideally banks would get on board and go for U2F. That way a
lot of people would come in contact with the technology, driving adoption and
prompting users to use the key for other services as well (for the bank this
provides a nice branding opportunity!).

Unfortunately, banks tend to favour private solutions based on TOTP/HOTP in a
lot of countries. That means that in, for example, my native country of the
Netherlands you will get a small battery powered calculator-like device from
your bank that generates the challenge-response verification codes needed to
authorize transactions. Each bank has its own solution that only works with
them, and each will send you their private branded TOTP-in-a-box device.

Add to this governments that are attempting to introduce electronic ID-cards
containing NFC-chips for public authentication with government and commercial
entities alike, and you can see why in a lot of countries the only candidates
for U2F are global services like GitHub and Dropbox. That reduces the amount
of potential U2F users to what are essentially power users.

~~~
jack12
Just a heads up: on the US Amazon site Feitian has a USB-A + NFC token for $16
(and there's a one-per-customer coupon on the amazon product page to knock it
down to $10).

Feitian also have a BLE + NFC + USB token for $24 (with a coupon to buy it for
$16), but that requires charging a battery, is less rugged, and the USB
requires a cable to connect to it.

It's not as cheap as USB-only (there used to be a $6 USB token sold), but NFC
support doesn't have to cost much more (especially as the secure element chips
they're built around all move towards having NFC support as a baseline
anyway).

Also there seem to be a handful of Java Card implementations of U2F on github
already (one of them is even sold as a Fidesmo app, if you want to pay for
easy installation), so an NFC-only U2F token could presumably be had for as
cheap as any javacard-compatible NFC smart card, and then just registered as a
second token.

I don't think it's enough to help push U2F forward by itself, but I think if
webauthn can get solid cross-browser support for U2F implemented, price won't
continue to be a big problem. Having just read up on webauthn, and seeing how
many browsers already have test implementations shipping, I'm pretty
optimistic U2F is going to be seeing a lot more interest soon.

------
milkshakes
this would be great if it were linked to touchbar fingerprint sensor

~~~
mastahyeti
It is :-)

------
lisper
I tried it but it didn't work for me. I'm running Mavericks. Do I need to
reboot or something?

~~~
mastahyeti
I've only tested on Sierra, so I'm not terribly surprised that this doesn't
work. Would you mind opening an issue so I can help debug?
[https://github.com/github/SoftU2F/issues/new](https://github.com/github/SoftU2F/issues/new)

~~~
lisper
Done.

------
cbhl
I'm surprised they're willing to trust a mouse click on a notification. (Can't
that be simulated by malware by using the Accessibility APIs?) I was expecting
a U2F authenticator that wanted a Touch ID touch first.

~~~
pfg
Malware is a game-over scenario either way. It can simply steal your session
keys or send requests from your browser with an active session.

That said, there seems to be some sort of TouchBar integration[1]. It doesn't
currently store the keys in SEP, but that might become an option at some
point[2].

[1]:
[https://twitter.com/mastahyeti/status/889546786221678592](https://twitter.com/mastahyeti/status/889546786221678592)

[2]:
[https://twitter.com/mastahyeti/status/889548782035124224](https://twitter.com/mastahyeti/status/889548782035124224)

------
mtgx
This isn't also backed-up by SMS, is it? Because the majority of
U2F-supporting services seem to be doing that - even Google (and for its own
Google Prompt, too).

~~~
cimnine
You can disable Google SMS 2FA anytime.

~~~
ptoomey3
And the same is true on GitHub. You can use app based TOTP without SMS.

------
scott00
Any plans for a Windows version?

------
bdcravens
If you're already into Bitcoin the hardware wallets also can be used for U2F

------
exabrial
It'd be awesome to see keybase integration

