State of U2F in May 2019

THIS ARTICLE IS OUTDATED. I have published an updated version of this article: “State of U2F in December 2020“.

I am attempting to register physical USB keys with various online accounts in an attempt to improve my online security.

I purchased multiple YubiKey keys (YubiKey 5 NFC and YubiKey 5 Nano) with the intent to register at least two keys with each of my supported online accounts so that I have a backup in case my primary key is lost or stolen. I have access to additional keys (YubiKey 5 NFC) for testing, so I will attempt to register 3 keys with each service.

Before you begin, consider using YubiKey manager to disable all interfaces except “FIDO U2F” and “FIDO2” on each key. I manually labeled each of my keys as “U2F NNNN”, though it is unclear which sites are using older FIDO1 (FIDO U2F) and which sites are using newer FIDO2. The “OTP” interface is similar to Google Authenticator [1] and could leak your identity [2]. Disabling OTP will prevent YubiKey from typing a string every time you tap the YubiKey button. Only enable the interfaces you intend to use.

Here is a summary of my experience with each online provider. Each browser test was performed on macOS 10.14.4 with latest version of Chrome, Firefox, and Safari 64-bit browsers. I registered each key with Chrome and attempted to login with Firefox and Safari. I had to manually enable U2F support in Firefox. [3]

Google (Apps, Cloud)

Key Limit: Multiple (3+) — 3 Keys Registered
Supported Browsers:
• Google Chrome 74.0.3729.131 on macOS
• Firefox Quantum 66.0.5 on macOS
Unsupported Browsers:
• Safari 12.1 on macOS (fallback to Google Authenticator)

GitHub

Key Limit: Multiple (3+) — 3 Keys Registered
Supported Browsers:
• Google Chrome 74.0.3729.131 on macOS
• Firefox Quantum 66.0.5 on macOS
Unsupported Browsers:
• Safari 12.1 on macOS (fallback to Google Authenticator)

Facebook

Key Limit: Multiple (3+) — 3 Keys Registered
Working Browsers:
• Google Chrome 74.0.3729.131 on macOS
Unsupported Browsers:
• Firefox Quantum 66.0.5 on macOS (fallback to Google Authenticator)
• Safari 12.1 on macOS (fallback to Google Authenticator)

WordPress (via Plugin)

Key Limit: Multiple (3+) — 3 Keys Registered
Working Browsers:
• Google Chrome 74.0.3729.131 on macOS
• Firefox Quantum 66.0.5 on macOS
Unsupported Browsers:
• Safari 12.1 on macOS (fallback to Google Authenticator)

NameCheap

Key Limit: Multiple (3+) — 3 Keys Registered
Working Browsers:
• Google Chrome 74.0.3729.131 on macOS
Unsupported Browsers:
• Firefox Quantum 66.0.5 on macOS (prompts for key, returns error “Something went wrong while activating your device. Please try again.”)
• Safari 12.1 on macOS (fallback to backup code)

Amazon Web Services (AWS)

Key Limit: ONE (1) — Simple On/Off toggle. Unable to Register Multiple Keys [4]
Working Browsers:
• Google Chrome 74.0.3729.131 on macOS
• Firefox Quantum 66.0.5 on macOS
Unsupported Browsers:
• Safari 12.1 on macOS

Twitter

Key Limit: ONE (1) — Simple On/Off toggle. Unable to Register Multiple Keys
Working Browsers:
• Google Chrome 74.0.3729.131 on macOS
• Firefox Quantum 66.0.5 on macOS
Unsupported Browsers:
• Safari 12.1 on macOS

11/23/2019 – Twitter configuration still limited to single U2F key.

No Support for U2F or FIDO2

LinkedIn
MailChimp
Slack

References

[1] Medium: The Unofficial FIDO U2F FAQ
[2] Hacker Noon: Avoid Leaking Your Identity with YubiKey
[3] Yubico: Enabling U2F Support in Mozilla Firefox
[4] AWS: Use YubiKey security key to sign into AWS Management Console with YubiKey for multi-factor authentication (comments confirm only one U2F device is supported per login)