[superdaniel]

Firefox barely supports U2F. It works on Github and Dropbox, but doesn't work on sites like Vanguard and Google. Every time I do a Firefox update I do a search of the bug listing and they seem to have an incomplete implementation of the spec. They're kicking the can until they fully implement the WebAuth API and jump over dealing with whatever earlier spec they were targeting.

Speaking of which, why does Vanguard force you to still have SMS two factor available even when you add a U2F device...

[Shoothe]

> Firefox barely supports U2F.

Haha it's funny you put it this way because actually it's Firefox that implements FIDO U2F standard correctly and Chrome is not. Chrome uses low level API to communicate with their built in extension and the high level shim that they provide is not 100% spec compliant.

Google did not bother to use the U2F correctly on their accounts site, Github for example did it correctly and their 2FA works on any browser (that is FF and Chrome).

[saltcured]

The usual rationale from companies forcing SMS two factor is that you need to have a convenient account-recovery mechanism before you enable something strict and lock yourself out. They don't want the support cost of dealing with these lockouts.

Unfortunately, these same companies often then claim that there is no harm in SMS two factor since "clearly it is stronger than one factor". But they are blind to their own systematic design flaw which is that the same SMS setting to enable two factor also usually enables one-factor password-recovery via this supposedly trusted phone.

Given what we know about SMS security, it is pretty obvious that one-factor SMS is weaker than one-factor good strong password. And if the good strong password can be merrily reset by whomever hijacks your phone, you have really just decreased your security posture while performing this whole security theater around two-factor and hardware tokens.

[Too]

SMS is already 2fa. You need the sim card and the pin code. Hence a hijacked phone could be seen as stronger than a 1fa password.

[tinus_hn]

Unfortunately the network security is kind of a joke so an attacker can intercept your messages if he is near you.

Not to mention that traffic inside the network is not encrypted so a lot of parties have legitimate access to the messages anyway.

I understand your point but SMS should not be used as the only factor for authentication.

[saltcured]

Correct me if I am wrong, but these SMS-based login setups are only sending a message to your phone number. It's about as secure as sending an email to your email address. There is no end-to-end security between the original sender and the subscriber's phone and SIM card to ensure that the message only gets to the correct recipient.

You only need to hijack the victim's phone number so that messages are sent elsewhere. This can be done by technical or social hacks such as porting the subscriber's number to a new provider or pretending a phone was lost and having the phone company register a replacement SIM. There is no need to physically intercept the victim's phone, so it is not in fact a second factor.

[urda]

Google is the one that isn't compliant.

Firefox is compliant.

[phyzome]

Does it actually not work on Vanguard... or is it that Vanguard does user-agent sniffing and says Firefox is not compatible?