
Software U2F Authenticator for macOS - borski
https://github.com/github/SoftU2F
======
jkirsteins
This is cool that it uses U2F, but unfortunately it does not bind to the
hardware, undermining the point a little bit.

In a similar vein, here's a TOTP client (unfortunately no U2F/WebAuthn) that
can bind the secrets to the hardware (on TouchID Macs):
[https://github.com/sqreen/twofa](https://github.com/sqreen/twofa)
(disclaimer: I'm the author)

~~~
cameldrv
IMO binding to the hardware is not a huge security benefit. Suppose you have a
security key that can auth to service X and then your device is compromised.
The attacker can install malware that will simply wait until you auth that
service, and then just make it look like your web browser crashed and hijack
the session. The difference between having the private key and having an
authenticated session is marginal.

OTOH, the anti-phishing/shoulder surfing benefits of U2F are substantial and
eliminate the ability to perform very common attacks. This is a great piece of
software.

~~~
skybrian
Sure, that's one threat scenario, but aren't there others?

It seems like a hardware key helps when using a machine temporarily, and it
gets compromised after you use it.

~~~
drivebycomment
Hardware based is of course better, but if we're comparing "hardware-based
OTP" and "software-based u2f", the latter is better for practically everyone.

------
ejholmes
This will hopefully become obsolete in the near future. If you're on a recent
MacBook (with TouchID), using the current version of Chrome, and using a
website that supports the new WebAuthn standard (e.g. GitHub) then you get
this for free; you can authenticate through TouchID.

~~~
Hamuko
Does this tie your login just to that specific MacBook?

~~~
mcpherrinm
Yes. You should ensure you have another way of logging in. You can enroll
multiple webauthn authenticators, totp tokens, etc.

------
OJFord
It took me a minute not to see this as bad for security, rather than good. But
it essentially makes the device you install it on (and register with GH or
whatever site) a 'trusted device', better than not using U2F at all, worse
than a separate hardware key.

I prefer to do the device trusting with Firefox's login manager, and then the
second factor is a hardware PGP key where supported, or TOTP on another device
if not. Whereas with this the device is trusted with the 'second', so you
probably want to store the 'first factor' passwords separately (i.e. have to
enter them) for anything important.

~~~
Fnoord
While it is arguably better than nothing (as it at least protects better
against brute force attacks, and password leaking) there's a downside to
projects like these (and the leaking of passwords could be mitigated by any
decent password manager, ie. don't reuse passwords).

Services such as websites assume and grant trust levels based on if you have
2FA enabled (such as requiring 2FA for certain operations). Instead, if you
don't use hardware 2FA, they shouldn't grant the same level of trust as when
you do.

The example of malware is mentioned in the README. The secondary reason I use
2FA is stolen device. I keep my hardware token separate from my device when I
don't use my device.

Also, the README does not mention FIDO2 at all. IIRC that had further
protections against malware, but I'm not sure. The README is out of date
regardless.

~~~
Terretta
It’s interesting the issues thread sees no upside to requiring a _specific_
fingerprint from outside the device (together with the device and the
password):

[https://github.com/github/SoftU2F/pull/29](https://github.com/github/SoftU2F/pull/29)

I would prefer a fingerprints change equates to loss of hardware key. I quit
sessions, and would like the stronger mitigation of various password bypasses
and priv escalations.

------
sdan
Doesn't this defeat the whole purpose? I love my multiple U2F keys, but I
don't understand why getting a software one would do any good...

~~~
skybrian
U2F keys cost money. Maybe you don't want to buy more than one, but you need a
backup.

Inexpensive ways to do it will help adoption and people who care more will
stick with hardware keys.

~~~
sdan
I guess what you're saying makes sense.

But instead of "faking" U2F keys just go with something like authy or phone
verification. I still believe it defeats the hardware purpose of u2f given
that it's software (even if it's a backup)

~~~
dmoy
authy and phone also defeat one purpose of u2f, in that they are trivially
phishable

Any backup for a u2f that isn't another physical u2f is compromising in some
way, it's just a matter of which way.

In reality though I agree with you and use one time code backup for u2f, and
just trust that I will be careful if I ever need to use them. (But maybe I'll
be panicking already and get phished? Who knows...)

------
xaduha
I have a contactless card reader and contactless smart card that has this
installed [https://github.com/tsenger/CCU2F](https://github.com/tsenger/CCU2F)

It works in mobile Chrome just fine with built in NFC, but it doesn't work in
Windows and Linux last I tried, because there's no support for U2F NFC in
desktop browsers yet.

Surely there's a way to meet in the middle somewhere, so instead of doing it
in software it would use a smart card via card reader.

------
agucova
Does someone know for any equivalent for Ubuntu Desktop? (or any distro for
that matter)

~~~
danstiner
Shameless self-plug, I've written such an equivalent for Linux distros:
[https://github.com/danstiner/rust-u2f#rust-u2f](https://github.com/danstiner/rust-u2f#rust-u2f)

Though it suffers from the caveat that secrets are just stored as a file in
$HOME. I'd love to support more secure methods but haven't seen enough
interest in the project to justify the dev time that would be required.

~~~
pabs3
Have you considered punting the storage decision to the Linux desktop's Secret
Service (the equivalent of the macOS keychain)?

[https://specifications.freedesktop.org/secret-
service/](https://specifications.freedesktop.org/secret-service/)

~~~
danstiner
Thanks for the suggestion. It hasn't been a focus yet because it doesn't bring
much security for me personally, but it is something I would like to do
eventually.

Issue:
[https://github.com/danstiner/rust-u2f/issues/19](https://github.com/danstiner/rust-u2f/issues/19)

------
Thorrez
When it was released in 2017:
[https://news.ycombinator.com/item?id=14840913](https://news.ycombinator.com/item?id=14840913)

------
ecesena
Last commit is from Oct 2018, is this still maintained?

~~~
QuinnWilton
From the Readme:

> We take the security of this project seriously. Report any security
> vulnerabilities to the GitHub Bug Bounty Program.

I'm guessing that means it's actively maintained.

~~~
lawnchair_larry
That phrase really needs to die.

~~~
Thorrez
Which phrase, that they take the security of it seriously? What would you
replace it with? Would you recommend just deleting that sentence? I think it
goes well with the bug bounty sentence.

------
hugoromano
from now this is my decoy U2F key...

