[mfontani]

> - Don't use U2F because FireFox doesn't support it

It does! Open about:config and switch security.webauth.u2f to true. It'll Just Work.

I've in the recent past modified a barebones Perl webapp to try and understand U2F better, see https://u2fdemo.darkpan.com/

I've been able to log in / use U2F from:

* FF on Windows and OSX

* Chrome on Windows, OSX

* Chrome on Android using either a OTG cable for a U2F USB key, a Bluetooth U2F key, and a NFC U2F key (works if you install Google Authenticator)

* Unfortunately, not FF on Android as I can't find how to enable U2F there yet :/

[mondoshawan]

It works, but only partially, and is still very very broken, which is why it is disabled in the first place. See also this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1065729

[phyzome]

Nonsense. It works fine on Github, Fastmail, Gandi... it doesn't work on Google because Google uses a different spec. That bug is about making Firefox compatible with the variation that Chrome/Google uses.

[uiri]

That bug mentions that Facebook is also broken.

I am kind of surprised that the sites you mention can implement the spec correctly but Facebook and Google can't.

[phyzome]

Google is notorious for not following spec.

In this case, though, what happened is that Google implemented a different, earlier version of the spec than most everyone else. Mozilla is busy implementing that spec as well to bridge the gap.

[Dylan16807]

Google's CardDAV server isn't standards compliant (2014) https://news.ycombinator.com/item?id=16412730

I'm not surprised.

[superdaniel]

Firefox barely supports U2F. It works on Github and Dropbox, but doesn't work on sites like Vanguard and Google. Every time I do a Firefox update I do a search of the bug listing and they seem to have an incomplete implementation of the spec. They're kicking the can until they fully implement the WebAuth API and jump over dealing with whatever earlier spec they were targeting.

Speaking of which, why does Vanguard force you to still have SMS two factor available even when you add a U2F device...

[Shoothe]

> Firefox barely supports U2F.

Haha it's funny you put it this way because actually it's Firefox that implements FIDO U2F standard correctly and Chrome is not. Chrome uses low level API to communicate with their built in extension and the high level shim that they provide is not 100% spec compliant.

Google did not bother to use the U2F correctly on their accounts site, Github for example did it correctly and their 2FA works on any browser (that is FF and Chrome).

[saltcured]

The usual rationale from companies forcing SMS two factor is that you need to have a convenient account-recovery mechanism before you enable something strict and lock yourself out. They don't want the support cost of dealing with these lockouts.

Unfortunately, these same companies often then claim that there is no harm in SMS two factor since "clearly it is stronger than one factor". But they are blind to their own systematic design flaw which is that the same SMS setting to enable two factor also usually enables one-factor password-recovery via this supposedly trusted phone.

Given what we know about SMS security, it is pretty obvious that one-factor SMS is weaker than one-factor good strong password. And if the good strong password can be merrily reset by whomever hijacks your phone, you have really just decreased your security posture while performing this whole security theater around two-factor and hardware tokens.

[Too]

SMS is already 2fa. You need the sim card and the pin code. Hence a hijacked phone could be seen as stronger than a 1fa password.

[tinus_hn]

Unfortunately the network security is kind of a joke so an attacker can intercept your messages if he is near you.

Not to mention that traffic inside the network is not encrypted so a lot of parties have legitimate access to the messages anyway.

I understand your point but SMS should not be used as the only factor for authentication.

[saltcured]

Correct me if I am wrong, but these SMS-based login setups are only sending a message to your phone number. It's about as secure as sending an email to your email address. There is no end-to-end security between the original sender and the subscriber's phone and SIM card to ensure that the message only gets to the correct recipient.

You only need to hijack the victim's phone number so that messages are sent elsewhere. This can be done by technical or social hacks such as porting the subscriber's number to a new provider or pretending a phone was lost and having the phone company register a replacement SIM. There is no need to physically intercept the victim's phone, so it is not in fact a second factor.

[urda]

Google is the one that isn't compliant.

Firefox is compliant.

[phyzome]

Does it actually not work on Vanguard... or is it that Vanguard does user-agent sniffing and says Firefox is not compatible?

[rdtsc]

> It does! Open about:config and switch security.webauth.u2f to true. It'll Just Work.

Unfortunately for a large number of users that effectively means it doesn't work.

[Shoothe]

> Chrome on Android using either a OTG cable for a U2F USB key

Which key did you use? I tried Yubikey 4 (via OTG cable) and 4C (directly) and the U2F flow with Authenticator did not work (just like the key would not be recognized for U2F).

[crispyporkbites]

ok scratch that, use firefox then

but still hardly anything supports U2f :-(

[Slansitartop]

Not everything supports U2F, but plenty of things do, many of them high value services:

http://www.dongleauth.info/