Menu
I've started fiddling around with U2F and it's looking really promising. Got myself some security keys and started digging into it. I've managed to create a working register/login demo website which works well using the U2F tokens and the U2F Chrome extension.
However... and this is where my question arises: I've also enrolled a security key for my Google account and immediately got struck by the fact that it works without using the U2F Chrome extension. As a matter of fact I've done all the Google enrollment and logins without even having the extension installed. How is this possible? I've read (some of) the FIDO specifications and saw that there may be two API levels: high - which is the u2f namespace exposed by the extension and - and low - which involves using MessagePort API. Maybe this is how Google does it? (also tried doing a chrome.runtime.connect(...) myself, but the chrome.runtime object is undefined in my web page)
Any pointer in the proper direction would be appreciated and of great value at this moment, as there aren't many resources available on this young project called U2F.
984
Go to this url: chrome://flags/#u2f-security-key-api. Locate "Enable the U2F Security Key API" Change the dropdown from "Default" to "Enabled". Restart the browser.
U2F is Chrome's original security key API. It allows sites to register public key credentials on USB security keys and challenge them for building phishing-resistant two-factor authentication systems. U2F never became an open web standard and was subsumed by the Web Authentication API (launched in Chrome 67).
Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards.
Multi-protocol security key secures modern and legacy systems. The YubiKey supports WebAuthn/FIDO2, FIDO U2F, one-time password (OTP), OpenPGP 3, and smart card authentication offering a solution that bridges legacy and modern applications.
Chrome is white listing Google domains. Non-Google domains has to use the extension for now. However, this will change "very soon" according to Google -- this is documented here and mentioned by a Google developer in this webinar.
Edit: The extension is no longer required with Chrome 41. You can test it out here (Note: When accessed from and older version of Chrome, or not via HTTPS, the site will fall back to using the extension).
92
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
