Doug Toppin's Blog

My thoughts on technology and other stuff

My New Yubico FIDO U2F Security Key

I like to try various online authentication methods and use a variety of them including a Gemalto MFA for my AWS account, the Google Authenticator app and two factor authentication for various accounts. Recently I saw an article about Google adding support to Chrome for the FIDO U2F standard and decided to add that to my list of things that tell people that I am really me. I bought the Yubico FIDO U2F Special Security Key (very cheap at $18) and received it a couple of days ago.

If you are not famliar with FIDO U2F it is a standard where a normal account name and password are entered then followed by public-key cryptography response data from another device in your possession. The additional device is described as “hardened” to reduce the risk of being compromised by someone else.

It is a USB form factor device and my first observation is that I need to be careful about using it because on my MBP it sticks out pretty far.

My next observation is a little confusion about when to use it and whether or not it should be left in the USB slot after it authenticates you (pretty sure not but nothing actually says that).

Another observation is that, like my AWS MFA fob, it is something else that I need to keep on or near me most of the time. The form factor is small enough that that is relatively easy but it seems flimsy enough that I am wondering how long it will be before it is lost, cracked or takes a spin through our washing machine. The one that I have requires insertion into a USB slot but there are others that support NFC which might be more convenient and less risk of breaking it if it could be used with my iPhone/iPad.

The only actual usage of it that I have experienced so far is adding to my Google account so I cannot say that it has been useful to date. I am expecting that to change before long but right now it is just another things hanging off of me.

I am still debating whether or not I could just use the Google authenticator app for pretty much everything but I am willing to try other methods just to see how well they work out and how practical in general that they are.

You can find out a bit more about the above at the following links.