[jkirsteins]

This is cool that it uses U2F, but unfortunately it does not bind to the hardware, undermining the point a little bit.

In a similar vein, here's a TOTP client (unfortunately no U2F/WebAuthn) that can bind the secrets to the hardware (on TouchID Macs): https://github.com/sqreen/twofa (disclaimer: I'm the author)

[cameldrv]

IMO binding to the hardware is not a huge security benefit. Suppose you have a security key that can auth to service X and then your device is compromised. The attacker can install malware that will simply wait until you auth that service, and then just make it look like your web browser crashed and hijack the session. The difference between having the private key and having an authenticated session is marginal.

OTOH, the anti-phishing/shoulder surfing benefits of U2F are substantial and eliminate the ability to perform very common attacks. This is a great piece of software.

[oarsinsync]

What's the difference between software U2F and software password manager that auto-fills TOTP tokens?

[skybrian]

Sure, that's one threat scenario, but aren't there others?

It seems like a hardware key helps when using a machine temporarily, and it gets compromised after you use it.

[drivebycomment]

Hardware based is of course better, but if we're comparing "hardware-based OTP" and "software-based u2f", the latter is better for practically everyone.

[tgsovlerkhgsel]

Hijacking the session can be a lot harder (especially if the site has defenses built to detect that) than stealing a key. The access is also a lot less persistent.

[kerng]

Pass the cookie attacks are problematic (e.g in case someone already has root access, which is the concern here).

Hacker will just wait until after auth and steal your cookies.

[ViViDboarder]

Actually, this project supports that as well.

https://github.com/github/SoftU2F/pull/29

Not sure why they don’t explain that in their readme.