Universal Second Factor (U2F) is an open authentication standard that enhances and simplifies two-factor authentication (2FA) by using a dedicated USB or NFC device based on similar security technology found in smart cards. While originally developed by Google and Yubico, with contributions from NXP Semiconductors, the standard is now hosted by the FIDO Alliance. The security features of asymmetric cryptography are part of OneKey's security philosophy. With the U2F support in OneKey, online accounts and identities can be secured.
Benefits of U2F
- Private keys are never sent over the Internet
- Due to public key encryption, confidential information is never shared.
- Easier to use than traditional 2-factor authentication.
- There is no need to re-enter a one-time code.
- There is no personal information shared with the private key.
While it is theoretically easier to back up, not all U2F keys are available. When using U2F, vendors do not share secrets and do not store confidential databases, and a hacker cannot simply steal the entire database to gain access. Instead, he must target individual users, which is much more costly and time-consuming. In addition, secrets (private keys) can be backed up.
How does it work?
When logging into a website, users typically verify their identity by providing a username and password. With OneKey and U2F, users must additionally confirm their login by clicking a button on the OneKey device.
OneKey always uses a unique signature for each registered user account.
- OneKey requires the user to back up the recovery seed during the initial setup of the device. This is a one-time process for all of the device's functions. The recovery seed represents all private keys generated by the device and can be used at any time to recover the linked wallet.
- Allows an unlimited number of U2F identities, which are stored under a backup.
- The recovery seed is stored securely in OneKey. It is never shared because it never leaves the device. No virus or hacker can access it.
- Phishing Protection via Screen Verification OneKey always displays the URL of the website to which the user is logging in, as well as the specific content to be authorized; therefore, it is possible to verify that the content sent to the device is the same as expected.
OneKey with U2F
To improve your online security, OneKey can be used as a hardware security token for U2F, but with backup/restore capabilities and convenience. You can start using OneKey as your second-factor authentication token, using services like Google, GitHub or Dropbox.Another advantage of OneKey is that its users can actually verify what they are about to authorize on the device display.
In this short tutorial, we'll show you how to enable two-factor authentication on your Google account and register your OneKey device as a U2F authentication token.
1. Visit Google.com and log in to your account
2. Access the "Security" settings and enable "two-step verification"
Once you have accessed your Google account, navigate to Security Settings on the left side of the page. You will see the option to enable two-step verification. When this feature is enabled, your Google account will require a secondary authentication in addition to your standard password.
Click Two-step verification, and then click Start to continue. 3.
3. Select "Security Key" from the other options used for login
Google will ask you to log in to your account again. This is a security precaution to make sure you are the one who changed the settings.
When you sign in, Google will ask you to select the preferred two-step authentication method.Google will provide their native solution, but you have a better solution for your OneKey device. So, click to select another option and choose a security key
4. connect your OneKey device and register it with the U2F security key for this service
5. Name your security token
Here you can choose the name that Google sees when you use your device. This name is different from the name you chose when you first initialized your device.
The next time you sign in to your Google account, you will be asked to confirm that you are signed in on your device.
- U2F enabled in Chrome/Chromium browser out of the box
- In Firefox, you will need to enable U2F manually.
Type about:config in the Firefox address bar, then press Enter
Search for u2f
Double-click security.webauth.u2f to enable U2F (or right-click and select toggle)
Recovering U2F Counters on OneKey
Restoring seeds on another OneKey also restores all U2F keys, as they are derived from a master key. Due to the design of U2F, some services may implement a counter that records the number of logins. However, if you have firmware version 1.4.2 or higher, the U2F counter is automatically restored.
How to add U2F to the sudo command
1. Open the sudo configuration file.
sudo nano /etc/pam.d/sudo
2. Add at the end of the document.
# u2f authentication
auth required pam_u2f.so authfile=/etc/u2f_mappings cue
Test your configuration by opening another terminal window and running the sudo command. If all of this is done correctly, you will be asked to enter your password and then prompted to "Please touch the device".
Your OneKey device will also prompt you to authorize the request.
Congratulations, your system now requires your OneKey to run sudo.
Please sign in to leave a comment.