Hacker News new | past | comments | ask | show | jobs | submit login

This seems misguided - it is watering down a decent system simply to appease and attract people too cheap to buy tokens; if 2fa is something that is so important to you, and you need it, just buy the damn tokens!

A vague comparison, would be me selling pre-printed 'random' passwords on paper because a user generating their own was 'too difficult'

IMHO, soft token u2f is only useful for testing, development, and personal entertainment




What is the attack scenario you feel a hardware token protects you against that a software token will not (for the use cases U2F was designed for)? Sure, hardware tokens prevent malware from actually lifting your private keys. But, to steal your software private keys you likely need malicious code running on your computer. And, once an attacker has that, it is largely game over for all intents and purposes anyway. They can ask your hardware token to sign bogus requests, steal your passwords, etc. Sure, with a hardware token you can wipe your machine and feel semi-confident that you get to keep your private keys. But, really, once your machine has been compromised and you wipe it, setting up new private keys sounds like a wise practice regardless. I'm not arguing that hardware tokens have zero use. But, for most users, the attack model where hardware tokens shine is likely not of value to them.


I may be mistaken (and I'm sure someone will point out if I am) but I think most hardware U2F tokens require you to physically press something on the token to validate that it should pass over your keys.

The soft U2F solution presented here still prompts you, but it is easier to imagine the software being modified/owned on a compromised machine than then hardware token being hacked in such a way as to hand over the keys without a physical press.


From my testing of several hardware U2F implementations, the test-of-user-presence (touching the button) unlocks the device for an amount of time. During this time multiple authentication/registration will succeed without further user interaction. Even without this behavior though, hardware tokens don't indicate which site your authenticating with. Malware could just make an authentication request right as some user action triggers a legitimate authentication request.


Once you have malicious software running it is largely game over. Sure, the hardware token can require a press..but once pressed what challenge is being signed? Malware can just wait and send a challenge for Site A when you are actually trying to sign into site B. Or, the malware can just wait until you login and steal your browser cookies. Oh, also, Soft U2F can require a similar physical touch if you have a mac with Touch ID.


Atleast for my u2f token, I'm being shown the site I'm signing for on a hardware screen.


Which device are you using? With U2F, the browser doesn't send the name of the site to the authenticator.


I'm using Trezor, I believe it has been preloaded with certain websites so it knows Github and Google and the likes.

It also shows parts of the public key (or so I believe, it is a unique identifier) per website.


Well physical presence is huge - your software-compromised token can sign infinite number of bogus token requests, where as with hardware, you'd have to be an idiot to press the button for random requests, or repeatedly; and has nothing to do with stolen passwords.

The best an attacker can do at that point is access whatever account-specific token that was 'intercepted', and use that until it expires on whatever site...which if implemented correctly won't let you make any major changes without your token press - aka, software-token just gave up your account, where hardware would have stopped it.


You can use a hardware token on multiple machines.

My bank, for example, has both your password entry and the private keys on the token. All you ever enter onto a computer or smartphone is the one time password, even when using their smartphone app.

I like my bank.


My bet on the reason for creating this: new Macs have no USB-A port, and there are no USB-C U2F tokens that fit flush in the port.

Github isn't too cheap to buy the token. The token they want to buy simply doesn't exist.


By flush, do you mean fully hidden inside the port? Yubikey has the 4C which should work on the MacBook and is the same size as their normal keys.


I mean you put it in the port, and leave it there permanently. Moving the laptop around, putting it in/out of backpacks and bags with no risk of damage or serious snags or pressure.

Yubikey 4C definitely does not qualify.


Malware running on your computer is a game-over scenario even with hardware tokens. The main difference here is that you'll need to revoke the device key after a compromise.

Password reuse and phishing are probably the most common threats users face. This addresses both with a (for most users) negligible security trade-off. If it increases U2F adoption, I'm all for it. I'd like to see U2F (or webauthn) become a browser/OS feature, backed by TPMs or things like TouchID, but this is a good first step.


Jinx :-)


But notice the software is only for Mac. So it's for people who are too cheap to spring for a $10 key but drop $1k on a laptop. Go figure.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: