[LethargicStud]

I'm unclear as to how this would work in practice. Chrome supports U2F out of the box, so getting a big weird pop-up asking to access your USB device, you'd at least be suspicious.

Upon registration, the server also collects a nonce, which is used for verification[0]. The attackers would need to get that nonce from the site. Hopefully, the site disables CORS so a phishing site cannot request a challenge.

Lastly, on Linux (I know, a minority), you need to make an entry in rules.d[1] to even allow Chromium to access USB devices.

I can see how this potentially maybe could catch someone, but I don't see it as much of a risk.

[0]: https://blog.fastmail.com/2016/07/23/how-u2f-security-keys-w... [1]: https://developers.google.com/web/updates/2016/03/access-usb...

[Ajedi32]

Part of the problem is that, assuming you didn't know much about how U2F works, it seems pretty natural for a site to request access to your YubiKey in order to use it to authenticate you.

While its obviously not a total solution, I do think that maybe the permissions prompt should be a bit more scary: https://developers.google.com/web/updates/images/2016-03-02-...

I'd rephrase that to something more along the lines of "example.com wants full control of". Maybe with an option for device manufacturers to opt-in to support for WebUSB, allowing for protocol enhancements to improve security and a less scary permissions prompt.

[Buge]

CORS is irrelevant.

>The attackers would need to get that nonce from the site.

The attackers have their own machine with a browser running on it that visits the real site and gets the nonce, then hands that nonce to the victim to be signed by their key.