HN Gopher Feed (2017-07-24) - page 1 of 10 ___________________________________________________________________
Soft U2F: a software-based U2F authenticator for macOS
135 points by darwhy
https://githubengineering.com/soft-u2f/___________________________________________________________________
bdcravens - 1 hours ago
If you're already into Bitcoin the hardware wallets also can be
used for U2F
philip1209 - 1 hours ago
Until Yubikey releases a USB-c version of their nano, I think I'll
use this. Since I've had to transition to a keychain U2F device
instead of one I can leave in my laptop, I find myself using it far
less.
sowbug - 11 minutes ago
I'd expect the U2F protocol to be built into secure elements on
laptops before a Type-C Nano comes into existence.USB-C ports are
too precious to keep them filled all the time with an
authentication device, and there doesn't seem to be enough room
in the male side of the Type-C coupling to allow the necessary
circuitry to exist in a slim form factor. Both these problems are
solvable, but meanwhile secure elements are already shipped with
many laptops.(An assumption of this comment is that the Nano is
kept semi-permanently in the laptop port. That's what the Nano is
indeed designed for.)
ianopolous - 13 minutes ago
I've been looking into 2FA on Github and I don't understand why you
must have either SMS or TOTP (typically a mobile app) as the
primary second factor. Why not let users go straight to a yubikey?
I don't want my mobile involved in the process at any point. You
also can't remove the TOTP factor once you've added a yubikey, so
yubikeys are 2nd class citizens, despite being much more secure.
djrogers - 1 hours ago
This seems a little restrictive if it doesn't have some sort of 2FA
alternative, like a mobile TOTP app or something. I'd hate to be
locked out of any accounts for losing my MacBook, or to be unable
to use the accounts from mobile or a different platform.As a
secondary/simpler 2FA alternative I like it, but the description
here doesn't do much to explain how to get around the problem of
only having this available on my macs.
elchief - 1 hours ago
the solution for actual U2F tokens is to buy 2 and put one in a
safe deposit box. not sure what the solution is for software
version
philip1209 - 1 hours ago
In general, U2F doesn't work on iPhones - so most sites offer
multiple methods of secondary authentication (including Github,
Facebook, and Google).So, it is a bit of a convenience - but it
also more secure because it matches hostnames.
ndm - 21 minutes ago
TOTP via SMS or apps is required to set up a u2f key on GitHub.
scott00 - 1 hours ago
Any plans for a Windows version?
milkshakes - 2 hours ago
this would be great if it were linked to touchbar fingerprint
sensor
mastahyeti - 2 hours ago
It is :-)
Rjevski - 1 hours ago
What's wrong with client certificates? Instead of reinventing the
wheel they should've just used those which would've given browser
vendors a reason to improve their UX regarding client certs.
wmf - 50 minutes ago
Most sites can't sacrifice all their users in the short term for
the good of the Internet long-term.
ptoomey3 - 1 hours ago
That is roughly all U2F is. It is a per-origin key pair that is
registered with each site and used to sign challenges. At some
point browsers themselves might implement something like Soft
U2F, at which point, they basically will have "improved the UX of
client certs".
Rjevski - 47 minutes ago
The advantage of client certs over U2F is that client certs use
the same proven mechanism your browser uses to verify the
server's cert, and can even be handled by the web server. It's
also seamless for the user - if needed you can be logged in
right from the first request. U2F needs to be implemented over
the top in the app itself and the login process is at the
minimum two steps (no way to login from the first request).
mongol - 1 hours ago
U2F adoption seems quite slow. Google were in early, and later
github and Dropbox. But since then? Feels like nothing happened.
csomar - 40 minutes ago
I think it is attack-driven. Most bitcoin wallets/exchanges have
2FA/U2F because it is a must given the value at stake. If you are
running a forum board, you probably don't care much neither are
your users going to bother.
madamelic - 2 hours ago
Can someone explain how this is an improvement on phone-based, non-
SMS 2FA?This solution seems ripe for exploitation by putting your
passwords (if you store your passwords on your computer) and 2FA on
the same machine.
jdc0589 - 2 hours ago
on an unrelated note: can someone explain why SMS based 2FA was
every considered to be a good idea? That crap drives me NUTS.
ptoomey3 - 2 hours ago
Mostly because, thus far, it has the best user setup experience
(doesn't require user to download a new app and hence can often
get enabled in seconds) and has the best "lost device"/"broken
device" story (people tend to not have their backup codes). I
think things like Soft U2F can change that equation a bit. An
iCloud keychain synced 2FA credential would go a long way
toward addressing some of the usability issues with traditional
TOTP based 2FA.
stephengillie - 2 hours ago
It feels inherently insecure to blast a 2FA code across every
device where you've got Hangouts installed. (And if you've got
Hangouts installed on the PC where you're logging into, then
it's not 2FA anymore.)
kbenson - 1 hours ago
> It feels inherently insecure to blast a 2FA code across
every device where you've got Hangouts installed.I think that
may be Project Fi specific. To my knowledge, Hangouts
doesn't do SMS anymore except for Project Fi customers, and
even prior to them forcibly removing SMS handling from
Hangouts on my Samsung and telling me to find something else
after an update, it never synced SMS messages it to other
Hangouts instances.
crummy - 2 hours ago
The improvement is accessibility. It's less secure than physical
2FA but more so than just 1FA. As the article says, "for many,
the security of software-based U2F is sufficient and helps to
mitigate against many common attacks such as password dumps,
brute force attacks, and phishing related exploits."
nevir - 1 hours ago
It's really not that much less secure than physical 2FA: I'm
willing to bet that most people just leave their hardware key
in their laptop at all times. (where "most people" ends up
being corporate U2F users, who are probably given YubiKey Nanos
and the like)At that point, your laptop is basically your 2nd
factor - which this software is pretty similar to.
bugmen0t - 2 hours ago
This is mostly against phishing. A phisher can get users to
insert a token from a USB device or a text into evil.com. But U2F
uses public key crypto, so your token derived for evil.com is not
the same as for github.com
madamelic - 2 hours ago
Ahhhh. That makes a lot more sense. Thank you.
anfedorov - 1 hours ago
Also, if your machine is compromised, your the cookies used to
authenticate you post-login can be stolen just as well. RTFA.
heavymark - 2 hours ago
Passwords are often already on the users phone. Such as if you
use say Authy or Google Authenticator for your 2 factor, your
phone if say an iPhone already stores all your passwords in your
keychain which is accessible on your iPhone just like on your
computer. Or if you use 1Password your passwords are accessible
on your phone just like on your desktop. So still comes down to
you having a strong master password for your keychain and or
1Password, etc that only you know.If you use Authy on your phone,
they have long had a chrome extension that allows you to get your
codes on your computer, already for years and that works with all
your existing codes rather than this which is limited to just
GitHub currently it sounds.But hopefully someone else can comment
on the security improvements of Soft U2F or if its more just
building a standard rather than people having to rely on Authy or
such.
pfg - 23 minutes ago
> But hopefully someone else can comment on the security
improvements of Soft U2F or if its more just building a
standard rather than people having to rely on Authy or such.The
main difference is that U2F is phishing-resistant because it
binds keys to the origin. TOTP, on the other hand, can still be
phished.(I believe Authy attempted to solve some of this with
their browser extension for sites that use their first-party
integration, rather than just for users using Authy as a
generic TOTP app. I would generally avoid their first-party
integration because of their reliance on SMS.)
mastahyeti - 2 hours ago
I think the greatest practical threat to TOTP is phishing. U2F,
regardless of where keys are stored, binds a keypair to an
origin. Only authentication requests from `github.com` can use
the `github.com` keys. For my money, any U2F implementation is a
win over any TOTP.
bugmen0t - 2 hours ago
You don't really[1] need to install this, if you're using Firefox.
Just set the prefs 'security.webauth.u2f' and
'security.webauth.u2f_enable_softtoken' to true.[1] (Unless you
need the token to live in your Mac OS keychain, instead of the
Firefox profile directory.)
scott00 - 1 hours ago
Does this actually work for you? I could never get that to work.
(Firefox 54 on Windows)
mastahyeti - 2 hours ago
My understanding is that the FF softtoken was intended to be
temporary while they worked on their HID support. That might not
be the case any longer though.
ilikepi - 2 hours ago
Yeah, the software token was only intended for testing
purposes.[1] HID support is supposedly a goal for later this
year.[2] There is also a third-party(?) add-on for hardware
token support[3], but apparently it will stop working with FF
57 as it not was not written for WebExtensions.(Disclaimer: not
affiliated with Mozilla; I just check in on bug 1065729 every
so often.)[1]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1065729#c262[2]: h
ttps://wiki.mozilla.org/Security/CryptoEngineering#Web_Auth...[
3]: https://addons.mozilla.org/en-US/firefox/addon/u2f-
support-a...
lisper - 1 hours ago
I tried it but it didn't work for me. I'm running Mavericks. Do I
need to reboot or something?
ndm - 19 minutes ago
Are you triggering U2F challenges by visiting sites that support
u2f? Opening the app doesn't do anything.
lisper - 6 minutes ago
Yes. The configuration I was using (Yubico test site on
Chrome) works against hardware tokens.Just for context, I'm
pretty well versed in U2F. I actually sell a U2F token of my
own (https://sc4.us/hsm) and I've published a serverless U2F
test harness (https://github.com/rongarret/u2f-test).
mtgx - 2 hours ago
This isn't also backed-up by SMS, is it? Because the majority of
U2F-supporting services seem to be doing that - even Google (and
for its own Google Prompt, too).
mastahyeti - 2 hours ago
You still have to configure TOTP (SMS or App) 2FA before you can
add a U2F device. That might change in the future.
kbenson - 1 hours ago
> even Google (and for its own Google Prompt, too).Just for iOS,
or for Android as well? Is Android intercepting Google sourced
SMS messages so it doesn't appear to be SMS, or are you referring
to the iPhone experience?
cimnine - 2 hours ago
You can disable Google SMS 2FA anytime.
ptoomey3 - 1 hours ago
And the same is true on GitHub. You can use app based TOTP
without SMS.
atonse - 2 hours ago
To Github people: I ordered your yubikey token but stayed away from
U2F out of fear that I'd be locked out if I lost the hardware
token.But I didn't realize you could setup U2F and TOTP as a
backup.
sowbug - 2 hours ago
You can also order as many of the U2F devices as you wish and
associate them all with any number of accounts. Yes, they do cost
money, but the cheapest today is $10 shipped on Amazon. Even if
you prefer the ergonomics of the more expensive ones, it's fine
as a backup you keep locked in a safe at home.