[bradfa]

I've used a U2F dongle for my 2FA with Google for a few years. I've been enrolled in the Google Advanced Protection program for a while. I don't have any issues around Google logins, just plug in my U2F dongle and press the button or hold the dongle near my phone for NFC to do its magic.

Another benefit is that I'm much less likely to lose my U2F dongle as it's on my physical keychain (and has been, for years, without damage) than I am to need to replace or wipe my phone (although a password manager with 2FA codes in it also avoids this).

[bradfa]

For anyone who says, "But what if $WORKPLACE doesn't allow you to plug in USB dongles or use NFC!?!" my counter is then maybe you shouldn't be logging into your personal Google account on that PC. And you probably have an IT department who already have a solution for 2FA that you're required to use.

[tialaramex]

Also, just because you aren't allowed to plug in "USB dongles" such as flash drives, does not mean FIDO authenticators [the things needed to make WebAuthn or its predecessor U2F work] won't work.

A FIDO authenticator is actually a USB HID class device, like a keyboard‡. So, if your $WORKPLACE doesn't allow you to plug in keyboards then, OK, I guess maybe a FIDO dongle isn't worth trying, but few people are in that situation.

If your employer has a policy of specifically issuing and authorising only particular devices (e.g. you can pick from a list of 3 Dell branded keyboards and 2 Logitech keyboards and anything else needs HR director override) then seems like it's time for them to authorise and issue a nice high quality FIDO authenticator. Yubico make some eye-wateringly expensive models, maybe they should pick those.

‡ "Like" a keyboard but it isn't a keyboard. The FIDO protocols don't involve keypresses, the device is just HID class because well, it's a Human Interface Device, seems legit. It sets protocol to 0xFF custom, and needs dedicated software to use that, which is fine.

[rot13xor]

Some work machines have all external ports glued shut and the mouse/keyboard are non-removable to prevent data exfiltration. Though you shouldn't be logging into personal accounts on those machines anyway.

[CogitoCogito]

This is quite a flippant response. These requirements are being put in place against (some) users' will. Simple changing email providers isn't exactly easy and maybe they need to access that account. Maybe Google should allow users to turn this off?

[LUmBULtERA]

I've had the same experience. Signed up for Advanced Protection Program not long after it was announced and I've been very happy with my MFA experience with Google for years now.

[SpelingBeeChamp]

If you use a Google Titan Key with Apple devices, have you been able to pair and successfully authenticate using either (1) bluetooth only, or (2) NFC only, on any Apple device?

I have not, and it's frustrating that Google offers no support beyond their help pages for their own branded hardware.

[bradfa]

I use a few Yubikeys and a Bluetooth Feitian key with my iPhone 8. My wife uses a Google Titan USB key and Bluetooth key for her Apple devices. Our iPads are too old to have NFC, but the Bluetooth paired fine with Google's Smart Lock app and we've used that.

For our iPhones, the NFC has worked fine even without the Smart Lock app. I believe Google phased Smart Lock out some time ago but I've not tried using it in a while, I don't use an iPad very often.

[LUmBULtERA]

Yes, the bluetooth titan key definitely worked for me and my wife on our iPhones. I think NFC did too but I haven't had to reauthenticate my iPhone in ages so I don't remember for sure.

[eikenberry]

What's your plan for when your dongle is lost/stolen/destroyed? Many U2F devices cannot be backed up and they recommend that you register with 2 separate devices. But while that is possible, it certainly doesn't scale and really is useless advice for the general case.

[bradfa]

I have 3 U2F devices. My wife has 2. For any U2F logins we have, we have enrolled all of our dongles in each login.

At least one of each of our devices is always stored at home in a safe place, where we store other valuable documents. If either of us lose one device, we will buy a new U2F dongle, enroll the new dongle, and unenroll the old lost/missing/stolen dongle from each of the services we use.

You can't backup a U2F dongle but so far everywhere I've enrolled to use one it always recommends you enroll at least 2 and keep one in a safe place.

[aendruk]

Can you elaborate on it not scaling? Keeping a spare is a pretty common pattern; see tires, house keys, emergency supplies.

[SpelingBeeChamp]

Mind sharing which U2F dongle and phone you use?

I haven't been able to get any Google Titan Key to work with any Apple device via NFC.

[bradfa]

I have a Yubikey 5, Yubikey 4, and a Feitian Bluetooth key, the Feitian is basically the unbranded Google Titan Bluetooth key. Both work fine, although I haven't used the Bluetooth one in a while. I use my Yubikey 5 on a regular basis.

I use an iPhone 8.