Token-based Two-Factor authentication
Tokens, U2F, and the real world
The use of two-factor authentication for personal use, even for online banking, never really caught on.
The only device that was at least slightly promising was the YubiKey, but there wasn’t really much adoption for it as the various operation modes all had their fair share of issues.
- HOTP was supported and YubiCo even had a public authentication service, but no major internet service started to adopt it and encouraged its use.
- TOTP was partially supported as it also needed a little helper-tool on the user’s workstation to supply the current time to the token as there was no built-in clock, which is understandable given it would then also need a battery. The token also only had two key slots, which meant that you could not use one token with all the internet services you were using.
- The static password mode sounded practical at first, until you realized that you’d need to also use a password manager for it to not use the same password with each internet service you use and that the password database would then have to be shared between all of your workstations. While this might be suitable for some, it’s not really a great solution.
About a year ago YubiCo released a token based on Universal 2nd Factor (U2F), a standardized protocol based on hardware tokens, but using a local key store on the token where each service that you’re authenticating with gets their own key and the authentication itself is handled by a module built into the web browser.
It’s not ideal because it needs support in the browser, which the YubiKey historically didn’t need because it just worked as a USB keyboard entering the one-time tokens into any application, but I think it’s a very interesting approach.
This is why I bought two U2F tokens to try out, but unfortunately the only browser that added support for it in the last year was Chrome and the only web sites that added support for authentication with a U2F token were Google Accounts and Dropbox.
It is kind of sad that not even within the technology industry we have enough enthusiasm for using such tokens. How will we ever encourage regular people to adopt them?