Get a U2F key right now and log into stuff with it

published by Eric Mill on
This is a stock photo, but it's the same model I own.

<update> Since posting this, Dropbox and GitHub have both added support for U2F keys. Microsoft Edge has begun development on integrating U2F. Mozilla hasn't made any announcements, but this is Firefox's tracking bug for the feature. </update>

I just got a U2F security key, for less than $20, to use as the second factor to log into my Google account. My model is by Yubico, sometimes called a "Yubikey". It's a super-light USB wafer you put into your computer, with a button you tap to log in to websites.

This is a new thing: Google just recently announced support for security keys for their login system. Chrome is the first to ship support for them, but other browsers should follow soon.

These keys are based on an open standard, and you should absolutely use one instead of Google Authenticator or SMS. For one, the usability of "just push the button" is a hell of a lot better than fishing out your phone, opening an app, and typing in a 6-digit number. For another, the keys use fancy crypto to completely protect you from phishing and tracking:

In the case of U2F, the device creates a public/private key pair for each site and burns the site's identity into the "Key Handle" that the site is supposed to use to request authentication. Then, that site identity is verified by the browser each time before any authentication is attempted. The site identity can even be tied to a specific TLS public key. And since it's a challenge-response protocol, replay is not possible either. And if the server accidentally leaks your "Key Handle" in a database breach, it still doesn't affect your security or reveal your identity.

Employing this device effectively eliminates phishing as a possibility, which is a big deal to a security-sensitive organization.

The keys also never identify themselves to the site, meaning that no one can track use of the same key across multiple websites — even the site owners themselves.

It's a great step forward, and you can expect to see more support announcements from major websites in the near future. Just go buy one. I got mine for $18.

The keys will Just Work on Mac and Windows (and recently, on Debian stretch). Unfortunately for Ubuntu users...

Getting it working on Ubuntu

While U2F works out of the box on Debian 9 (stretch), it doesn't yet work on Ubuntu. I also couldn't find a simple set of instructions anywhere. Fortunately, it's extremely easy.

You need to get your computer to recognize the key by adding a udev file to your system and rebooting. Yubico makes this easy by publishing the rules file you need on GitHub:

ACTION!="add|change", GOTO="u2f_end"

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120", TAG+="uaccess"


Copy the text of that file to /etc/udev/rules.d/70-u2f.rules, and run:

sudo service udev restart

Then unplug and re-plug in the U2F key, and it should work.

If things don't work, well, try rebooting. If that still doesn't work, leave a comment, email me, or edit my blog post to fix it.

  1. nicoo

    1) It's more graceful not to restart udev but simply reload rules: sudo udevadm control --reload-rules.

    2) On Debian, you simply need to be on the group plugdev to be able to access the U2F token.

  2. Eric

    @Devon: Buy two! :) But also, the service should have a backup. For example, Google can fall back to OTP (e.g. Authenticator) if your device is broken or misplaced.

  3. Devon

    ... and what happens if I lose said key?

  4. Chris Adams

    One particularly nice benefit: the next time an OS upgrade or other failure takes out your phone, you won't need to go through the sometimes lengthy MFA reset process. iOS backups will never include Google Authenticator keys by default and even with a password set the keying information may silently be lost rdar://18714034

    I had an iPhone hardware failure awhile back and learned the hard way that Google had a multi-year period where the reset process was a web form which submitted to a bouncing email address – good thing I had some printed codes at home…

  5. Kurt Sussman

    How to avoid rebooting:

    service udev restart

    Thanks for the post. I've been looking at these for a few weeks. I'm not yet convinced that I need it, but I'm getting closer.