U2F

From das_wiki
Jump to: navigation, search

U2F is much better than 2-factor authentication by TOTP, or SMS (more generally, U2F > TOTP > SMS > Password only). The main reason is that U2F is not susceptible to man-in-the-middle attacks in the way TOTP and SMS are.

A good U2F solution is the Nitrokey FIDO U2F. To set it up in Linux (if you use another *nix, please let me know), you need to follow a few steps which aren't documented for the Nitrokey. Here's what to do:

Set up udev rules for the key

Create the file /etc/udev/rules.d/70-u2f.rules, with the content

 # Nitrokey FIDO U2F
 KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="uaccess"

Reload the rules with udevadm:

 $ udevadm control --reload-rules && udevadm trigger

Configure Firefox, enroll the key

Open Firefox, and go to about:config (in the URL bar). Search for the string 'u2f': you should see the key security.webauth.u2f. Enable it by double clicking.

Go to the website and register the key! You will see a popup from the info button to the left of the URL bar stating that the site wants to use your key. Just insert the key, and it should register. Congratulations!