Universal 2nd Factor (U2F) is an open security standard that simplifies and improves your personal security by only requiring a physical Universal Serial Bus (USB) key to authenticate with various services. Your USB key authenticates by issuing a challenge-response using public-key cryptography. If you have been using Two Factor Authentication (2FA), then U2F is an upgrade/evolution of that standard where you have physical hardware instead of dealing with the hassle of a constantly changing key stored an app like 1Password.
Depending on the type of U2F key you buy, you’ll also be able to use Near-Field Communication (NFC) to authenticate. NFC is handy with mobile devices, especially devices that might not have a USB-C port. When looking to buy a U2F key, I’d recommend picking USB-C with NFC support so you can hold your U2F key near your device to authenticate.
U2F, 2FA, WebAuthn, and much more is all part of Fast ID Online (FIDO) standard. There is a lot to unravel in this space but the purpose of this article is to focus on U2F in order to enhance your experience and improve your security.
I purchased two YubiKey 5C NFC keys so I’d have a primary and backup key. Having a backup key is important because if you lose your primary key, there is no way to get back into the services you might be using.
💡 As a side note, there is also support for YubiKey Bio keys which use biometric data (i.e. fingerprint) to verify who you are. These biometric keys don’t support NFC at the moment so depending on your needs you might want the convenience of NFC for mobile access or forgo that entirely and use the bio keys.
Amazon Web Services (AWS) - Log into your account, click on My Security Credentials, and then Manage MFA Device.
Discourse - Once logged into your account, click on your profile, Preferences, Security, and Manage Two-Factor Authentication to add your U2F keys.
Fastmail - Log into your account, click on Settings, and Password & Security to add your new keys.
Google - Once logged into your account, click on Security, 2-Step Verification, and add your U2F keys.
Updating existing services to use Universal Two Factor (U2F) was quick and easy. All of them let you label each of your keys as you register them. I opted to color code and register my keys as follows:
The only oddball is Amazon Web Services (AWS) which only allows you to configure a single U2F key which was a disappointment. This is a long standing issue which doesn’t have any great workarounds. You can download and install the Yubico Authenticator application which allows you to use your U2F key to unlock your Time-based One Time Password (TOTP) for your AWS Multi-Factor Authentication (MFA) configured device. I tried using this but was a hassle to use U2F plus your phone to enter your account so opted to stick with 2FA for now, sadly.
Additionally, it’s important to note that the Yubico Authenticator only works with your primary U2F key and cannot be registered with your secondary key either.
The following might be of interest for those wishing to spend some time manually configuring your machine to support U2F keys:
Beyond Passwords: 2FA, U2F and Google Advanced Protection - A detailed article that’ll walk you through 2FA and U2F security.
YubiKey for SSH, Login, 2FA, GPG and Git Signing - Walks you through using your U2F key for operating system login, SSH, GPG, and more.
I’m enjoying the both the increased security and reduced hassle of using 2FA. I do wish I could use my Apple Watch as my primary U2F key instead of carrying both my watch and Yubikey. Maybe at some point in the future, this will become a reality. For now, I’m happy to make it harder to gain access to any of my accounts and hope you make the switch as well!