[sGatling1788]

Am I only the one who is disappointed in the seemingly stalling of traction for U2F? Google, Github, and Facebook supported U2F 2 years ago - so all I can see is Twitter, Dropbox and niche security news like KrebsOnSecurity.com have added support since then? Sure it's something, but 2 years I would have expected more - Who am I missing? Without more websites, consumer mass market has little incentive to adopt - and without users, websites have little incentive to support U2F - thereby furthering the stalling.

[tpaschalis]

Well, maybe I'm over-reaching, but I think that most banking "security" sucks.

Last month I tried to make an e-banking account in South Europe. In 2018.

- They required "6-12 characters as a password, and no special characters". You can't hash special chars?

- Apparently it's okay, because "2FA". Which is a "changeable via a call" 4-digit-code, which the bank employee knows "only" two digits.

I'd be far more inclined to trust Twitter or GitHub than my bank with my data.

[matheusmoreira]

In my country, many banks force people to install "security modules" which includes a driver that monitors their network. There is no privacy policy.

[packet_nerd]

I needed a new bank and thought surely there will be one that offers U2F.. days of searching later, and I still have yet to find one that does. It seems like the vast majority of online banks don't even support any kind of 2FA except email/text. Really really sad.

For regular guys like me, I can't think of any online service more important to protect than my bank account.

[sGatling1788]

From https://twofactorauth.org/#banking, the only American or Canadian bank that supports a Hardware Token is Wells Fargo - which only seems to support RSA SecurID: https://www.wellsfargo.com/privacy-security/advanced-access

[macintux]

Banks seem very slow to adapt to technology. My credit union for years after the release of the first iPhone still used a Flash login, although they did have a mobile login link you could get from them by asking.

[jakubp]

FWIW, in Poland some banks started using 2FA (many different types) several years before Google or any other site I know of.

[Arainach]

Vanguard supports U2F. https://investor.vanguard.com/security/security-keys

[everybodyknows]

Yet only Chrome is supported -- and this does not include chromium-browser on Linux.

[rendaw]

It sounds like they force you to use a phone/email code when you log in from a new device? Or am I reading that wrong.

[bsder]

> Am I only the one who is disappointed in the seemingly stalling of traction for U2F?

The problem is that all of these things are a PITA to administer.

I wanted a VPN between our two offices. Cool. I'll buy some YubiKeys, type some command line magic on Linux and I'll be good to go ...

Pschye!

This stuff is fine if you have 100+ people and the resources to administer.

If you simply want to manually distribute stuff to <10 people, it's a nightmare.

Until I can set up something easily at the 10-person level and scale it gradually to 100+, this stuff is going to remain tractionless.

[pat2man]

U2F was never fully supported in browsers making it hard for sites to deploy it everywhere. The new WebauthN standard is going to be supported everywhere which makes it more likely that sites will actually use it.

[paxy]

Something like U2F is never going to find mass success in a consumer application. Every enterprise auth provider supports it, which is its major use case for now.