Published On: May 14th, 2015/Categories: Cognition, Data Security/11.3 min read/

U2F, OTP, Google and LastPass

Today was a big day in the exciting 😉 world of authentication, with Google announcing support for hardware tokens as part of their  “2 Step Verification” logon process. Specifically, Google now support U2F tokens (Universal 2nd Factor), a small hardware token that can be used across multiple sites for multiple logons. Google often refer to these tokens as “Security Keys”, but for you and me they’re just any token that support the new U2F standard. We’ll explain more about the U2F standard itself another time, but today we’re going to focus on the interesting bit and explain how to get these things working.

Google 2FA setup

 

Bank 2FA DevicesBefore we dive straight into the best bit (the Yorkshire Pudding if you’re a Northener), let’s take a small step back and look at the tokens and who’s been doing what in recent times. Outside of the enterprise, two factor authentication (2FA) has been pretty slow to take off for one simple reason, users have numerous logons for different resources which had no way of using the same authenticator. SMS and app based codes have been a more recent step forward with the likes of Facebook, Twitter and others utilising this method as a second factor. But banks are still pressing on with each providing their own hardware token or pin pad device. It’s all a bit of a mess, causing confusion to the user and complexity for the application developers. Fortunately, vendors such as Yubico have been creating USB and NFC tokens that support third party systems through methods such as One Time Passwords (OTP). And crucially, vendors of password management software (e.g. LastPass) have partnered with the likes of Yubico to provide secure unique password management all protected by a token as second factor. And that’s what we do here at Cognition. We use LastPass with Yubico to provide complex unique passwords for every system we use, each requiring the presence of a hardware token to authenticate. Yubico and LastPass

All this is great for password managers, but in parallel the big Web Monsters, Google, Facebook and others have been working to do their own thing, which has produced the same end result, support for a single token (using the U2F standard), for which Yubico are one of the first available providers. Yubico have released three devices to support U2F, the Neo, Neo-n and Security Key. The Neo and Neo-n are the premium versions, supporting OTP, U2F and more, with the only difference being the “n” version not supporting NFC. The Security Key version is a budget version, only supporting U2F and pretty much nothing else (not even OTP or LastPass). More details can be found here. So if you want full support for every feature, choose the Neo. It’s NFC support is great if you have a proper mobile device (i.e. running Android) 😉 . Unfortunately Apple have disabled their iPhone 6 NFC support for anything other than ApplePay, so don’t expect NFC on your iOS dveice. Also, make sure you buy the current version of Neo, not the old one which didn’t support U2F. The older devices can’t be firmware upgraded (by design to prevent attacks) to the new version. Currently NFC and U2F can’t work together on the Neo, but Yubico are positive that the current Neo device will indeed support it in the near future. See the footnote for more information. See below for the Yubikeys supporting U2F.

The Yubikey U2F Range

 

So with a Neo in hand, you now want to get it working with Google and LastPass, the two biggest supporters of this token. Only one problem, no browser currently supports running U2F and OTP (for LastPass) at the same time. You have to choose one or the other. Pretty lame I know. This current limitation is with browsers and not the tokens. Fortunately, Chrome beta version 39 does support this mode, which requires you to simply change the mode of your token (from OTP to U2F & OTP). Crucially, the steps below are the only way to get U2F and OTP working at the same time. Using Yubico’s “Neo Manager” will not work as it is currently locked down to OTP OR U2F. You require the command line tool to get both. Here are the Windows steps to use it:

  1. Insert Yubikey Neo into USB port
  2. Download the Yubico personalization tool from here: https://developers.yubico.com/yubikey-personalization/Releases
  3. I opted for the latest Windows version ykpers-1.16.0-win64.zip but choose whatever’s relevant for your system
  4. Extract the compressed file to an easily accessible folder (you’ll be accessing it from the command line next)
  5. Open the folder from the command line, then access the bin folder
  6. Run this command: ykpersonalize -m6
  7. Type y to commit
  8. Your Yubikey is now formatted for U2F and OTP support (See picture below for what this should look like)
  9. Unplug the Yubikey and then reinsert it
  10. Windows will now reinstall the drivers for the new U2F & OTP mode
  11. Windows now recognises your Yubikey Neo as U2F and OTP compatible
  12. Install Chrome beta from here: https://www.google.com/chrome/browser/beta.html
  13. Make sure you follow Google’s instructions for backing up your browser settings before switching to the beta release (since reverting to a release version will often render your “newer” version settings invalid)
  14. You can now use your Yubikey for any U2F system, such as Google and you can test it at Yubico here: http://demo.yubico.com/u2f
  15. To test OTP you can configure it with LastPass or by creating a forum login at Yubico here: http://forum.yubico.com/ucp.php?mode=register

Command Line Tool

 

More information on Google 2-step verification

  1. In a Google website, go to your account settings (click on your face in the top right of the screen) and select Account
  2. Click on the Security tab and then enable 2-step verification
  3. Click the settings option to set up the Security Key option

Enabling Google 2FA Security Key

 

More information on LastPass

  1. Go to Lastpass here
  2. Use it for free without a token, or sign up to the $12 per year to enable it to work with mobile devices and tokens.

More Information on Yubico and Yubikeys

More Information on Google U2F

 

More Information on Yubikey Neo U2F and NFC

  • In response to a question regarding the Neo tokens supporting NFC based U2F:

David from Yubico Team on their Support Forum (21st October 2014) – “The best answer we can give is “Maybe”. While we are working very closely with the U2F NFC and Bluetooth groups, we cannot guarantee anything until the specs are finalized. We would naturally like every U2F NEO to work without issue over NFC, but the final specifications may require some changes to the current U2F applet. That being said, the current U2F applet on the NEO is fully compliant with the USB U2F specifications, as will not require any changes unless the publicly released U2F implementation specification is modified.”

The post U2F, OTP, Google and LastPass appeared first on Cognition.

Cognition Logo

About Cognition

Cognition is a Specialist Cyber Security Integrator, focused on delivering the very best security guidance and providing an unprecedented level of service. The team is comprised solely of industry experts with each providing the best intelligence with a real world approach. It is this philosophy that enables Cognition to cut through the complexity of today’s threat landscape and provide the latest innovative security solutions that deliver true business value. Learn more about Cognition at https://cognitionsecure.com.

 

Share This Post!

About the Author: Carl Gottlieb
I'm the trusted privacy advisor to leading tech companies, helping them gain maximum advantage through the right privacy strategy. My consultancy company Cognition provides a range of privacy and security services including Data Protection Officers, in-depth assessments and virtual security engineers. Get in touch if you'd like to learn more.

Related articles