[jrockway]

What sites could you sign into with a cryptographic second factor before Google launched U2F? All that was out there were easily-phishable TOTP tokens. Now you can register a security key and use it as a second factor on desktops and phones. It's pretty impressive, though unfortunate that ultimately the industry picked a similar-but-different standard.

What sites currently let me authenticate with WebAuthn? (Github still uses U2F, it seems.)

[phren0logy]

Dropbox uses WebAuthn. They are, as far as I can tell, the most significant site using it currently.

[ecesena]

Microsoft also supports passwordless login, the "novelty" of FIDO2. I just found it out yesterday reading this article [1], page 3 (it's in German).

Disclaimer: I make the Solo key that's mentioned in the article.

[1] https://www.golem.de/news/fido-sticks-im-test-endlich-schlec...

[agwa]

> What sites currently let me authenticate with WebAuthn? (Github still uses U2F, it seems.)

https://login.gov

[taeric]

Can I, though? I asked https://news.ycombinator.com/item?id=19316509 to see if there was a way to build a habit out of my security token. Not only did I not get responses there, but I haven't actually found that many places that support using a u2f token. There are an some that support it ok, but all require me to use chrome and none seem to support using it at least once a day. (Or anything like that.)

[ecesena]

re: your thread.

Today the backup practice is to enable 2 keys in all accounts: one that you keep with yourself, the other that you leave in a safe.

There's been some experiments of creating copies of the master secret, e.g. [1]. Today you can do so either w/ u2f zero or with its upgrade solo hacker (note the hacker version), but we currently don't support it officially.

My personal advice as of now is to always have security key(s) + totp code. The security keys protect you against phishing, so if you click on an email link and get prompted for login, you're either safe (if you use the security key) or at least reminded about the risk (if you're used to use the security key but you don't have it with you at the moment). Viceversa, if you're directly logging into a website and you typed the url yourself, then totp offers the same security, so it's a totally valid alternative. Hope this makes sense.

[1] https://dmitryfrank.com/articles/backup_u2f_token

[taeric]

Ok, I thought the whole point was that I couldn't get a secret off a token. :(

My biggest concern is that I don't have a solid method to build the habit of using the devices. I started using pass to generate and store passwords. That doesn't work with just u2f keys, though. That I could tell.

[will4274]

> What sites currently let me authenticate with WebAuthn?

Microsoft sites like Outlook and OneDrive.

[alfalfasprout]

Duo push works decently well and is far more secure than eg; TOTP.