My workmate Eric alerted me to something he found on a product called the Yubikey, a U2F device that you plug into your laptop/workstation to act as a second factor proof that you are who you are. I had looked at Yubikey a few years ago, but felt that they were not widely supported back then. Now they are. This prompted me to re-review Yubikey and U2F authentication. The key (sorry) advantages of a U2F key, like Yubikey, are that it saves you typing and it can’t be fooled by bogus websites. Additionally, you don’t have to use your phone for 2FA and U2F keys are super easy to carry. That said, there are a few other things to think about.
Losing It
If you use a two-factor app on your phone, like Google Authenticator, and you lose your phone, you have to jump through hoops on each website to set up two-factor authentication again, in addition to the hassle of replacing your phone and getting your apps back on it. Setting up 2FA again usually involves a lot of e-mails, proving that you at least own your e-mail account. Losing a Yubikey is much the same process for getting access back into your sites and services, so no real disadvantage or advantage there.
Yubikey suggests that the workaround for using a Yubikey is to purchase two Yubikeys (of course they do) and register both of them with each site when you first setup 2FA. The idea is that you would keep the second key as a backup, somewhere safe. When you lose your primary key (the one you use all of the time), simply log in with the backup key to each site and remove the original key from your security settings. I am assuming that you would also then purchase another Yubikey as another backup and add it to all of your sites. So, really, you still have to jump through hoops to restore your security landscape to its’ original beauty, but you do it with less typing. In the case of the Yubikey, you would probably end up going to each site twice; once to remove the original lost key, then another time to add the newly-purchased backup key. Maybe the Yubikey-sponsored solution to visiting sites twice is to buy *three* Yubikeys and set them all up the first time.
Alternatively, some sites will allow you to setup multiple two-factor authentication methods so you could setup both a Yubikey and then setup the Google Authenticator app as your backup. You would have to lose your Yubikey and your phone to be locked out. Or… buy *four* Yubikeys!
Browser Support
You must be running Google Chrome version 38 or later, or Opera version 40+ to use a U2F key like Yubikey. Both browsers include support for the U2F protocol. Mozilla is currently building support for U2F and Microsoft is working within the FIDO Alliance to eventually bring support to the Edge browser in Windows 10. Funny enough, you can install a U2F add-on to Firefox, but you also have to install an add-on that makes Firefox look like a Chrome browser before the Yubikey works properly with the U2F add-on and Firefox.
Website Forgery
Google Authenticator works with many sites, including Google’s sites, but even Google knew that there was a problem with using the Google Authenticator app – website impersonators.
So picture this, you download the the Google Authenticator app onto your trusty Android and set it up to work with YourBank. Every time you log into YourBank you enter your e-mail address and your password and then YourBank shows you a screen that prompts you to enter the current code from your Google Authenticator app. You read the current code from your phone and then enter it in the browser screen and then you are allowed to get into your YourBank account. The Google Authenticator app code changes every 30 seconds so it’s pretty safe, right? Mostly.
Now let’s say you go to an Internet café, you open a browser tab for Facebook and you see what looks like the YourBank login screen. The URL says https://YourBank.com in the browser and the page looks like YourBank, but actually it is some server in the middle acting just like YourBank with a fake certificate. You enter your username and password, the bogus site passes this on to the REAL YourBank which then asks for your Google Authenticator code, so the bogus site pops up a screen asking for your code. You enter your code into the bogus site which immediately passes the code to the real YourBank site, you get logged in, and then the bogus site redirects your browser to the real YourBank page. It looks like you just logged in, which you did, but meanwhile the bogus site has launched its’ own YourBank session using your credentials and your Google Authenticator code. This is called a “time-of-use phishing attack”. Attackers really can, and do, capture second-factor responses sent to a phishing site and then immediately play them on the real login page. Once logged in as you, the attacker can then steal your account, or simply use it to do nefarious things in your name.
Google foresaw this and so helped Yubico to develop the YubiKey. When you register a site, like Facebook, with your Yubikey a private/public key pair for that site is generated. The public key is stored on the website and the private key is stored on the Yubikey. When you go to log into the site, the private/public key pair will only talk to the correct site and the browser enforces this, per the U2F protocol.
Lots more explanation on this in this nice little post: https://security.stackexchange.com/questions/71316/how-secure-are-the-fido-u2f-tokens