Support for FIDO U2F authentication


#1

An interesting idea would be to extend the already awesome 2-factor authentication and add support for FIDO U2F.
It’s more secure and even easier to use. As it is a cutting-edge technology, only a few major players have implemented it. But it could be a really good feature for Preside.

In a nutshell:

Buy a USB dongle, plug it in, press a button, be authenticated.
Works with NFC + a smartphone as well to authenticate on the mobile device (depends on the dongle)

Infos:


Products:

https://hypersecu.com/products/hyperfido

Comparison to one-time passwords (OTP)

Implementation

Good starting point for development (Java + js libs exist):
https://developers.yubico.com/U2F/


#2

What Jan said. Bought a HyperFIDO stick a few weeks back for 8 EURs or so to protext some logins. Popular sites supporting are Google and Dropbox but it would be a nice cutting-edge thing if PresideCMS had support, too. The standard supports implementations with or without passwords. FIDO have - amongst others - a JavaScript reference implamentation that can be used.


#3

Can the dongle be used then for multiple different sites? Do you register something about the dongle with those sites?


#4

Yes the dongle can be used for multiple sites and services. There’s no central service involved and it would even work without a public internet connection. Basically it works like this.

Dongle registration:

  • Website user wants to use a dongle
  • Server (e.g. the Preside installation) generates a “register new site” request and sends it to the user’s browser
  • The browser passes the request on to the dongle (currently via Chrome natively or Firefox plug-in) and the dongle creates a new public/private key pair (which is unique to the dongle, the server and user’s account) stored in the dongle
  • The public key is sent to back to the server and associated with the user’s account.

Login:

  • The user is asked to enter their username (and password - depending on the implementation) and to insert the dongle
  • The server sends a challenge to the browser and the user is asked to press the key on the dongle
  • The dongle responds to the challenge and sends the response back to the server
  • The server verifies the response using the previously stored public key and lets the user in if things are good

There should be a recovery option in case the user loses the dongle. Google solves this by additionally allowing traditional OTPs via SMS or Authenticator and static recovery keys to be kept by the users.


#5

That’s awesome - the browser -> dongle bit was what I was missing. Be interesting to see that in action. Wonder if it works in Linux…


#6

It does on my Ubuntu 12.04


#7

Flow from: https://www.yubico.com/about/background/fido/


#8

Wowzers, 12.04! I’ll have to get me one to play with.

Update

I got me one. Awesome. I have it securing my lastpass and github (can’t do my google accounts because I use Firefox…sigh). Defo worth creating a 2FA implementation for it.