[pfg]

Convincing users to grant access to a USB device when they're attempting to log in to a service using said USB device sounds like something that would work more often than not. We wouldn't need phishing-resistant authentication methods if humans were good enough at making those kinds of decisions.

[stevehawk]

I have to admit that in all of my use of my Yubikey Neo in Chrome I don't recall ever being asked for permission to access the device. Firefox hasn't asked either.

[pfg]

I'm not saying that you need to grant any kind of permission in order to use U2F tokens, but rather that a user thinking "I want to login to Google" and "I need to use that USB key thingy to do that" is quite likely to accept a prompt that requests access to the U2F device.

[stevehawk]

Sorry, I guess what I was getting at is that in hindsight I'm surprised no browser ever explicitly asked me for access to the Yubikey or told me why it needed, I've just blindly trusted it because of the few sites I use it with.

On the other hand, it's basically functioning as another keyboard device and not a special USB device so it shouldn't be that surprising, right? (serious question)