| A few U2F details worth mentioning Browser support is currently limited to Chrome, and possible Windows Edge* For now it only works with USB. Bluetooth and NFC specs are out, browser support is the bottleneck The protocol is public/private key based, with the private key strongly encouraged to be in tamper resistant/evident storage. The protocol is authentication method agnostic. It doesn't care if you use a USB key, a retinal scan, a pin or divination. You could write a software only authenticator if you wanted, but servers could detect that (and reject it if they chose to) through the attestation certificate you provided. You can't pretend to be a brand X authenticator, because only company X will have the private key(s) matching the attestation certs to sign (batches) of model X authenticator. Yubikeys are just one implementation of a U2F authenticator. In theory GitHub now works with any present/future authenticators that talks U2F (modulo browser support) e.g. an iPhone+TouchID+NokNok SDK, a Pebble watch+app, an Android Phone+$your_app, an NFC implant, m-of-n wearables * Microsoft announced something U2F related for Windows 10, I never got to the bottom of what exactly For more detail I did a talk at EuroPython this year https://moreati.github.io/passwordspain/#/ https://www.youtube.com/watch?v=YSTsgldazSU |