U2F Support

[Derick]

I'm rolling out 2FA for our The password reset and password database.  Although some users are happy to use a mobile device others wanted us to provide a token.  Having looked at the ease of use for setup and use of U2F tokens I'd like to request u2F support.  We use Duo as our 2FA and the Duo API allows u2F tokens so I'm hoping it's not too complex.  Additionally the ease of use, single click for password resets, or 2fa to a stored database.  It's a sure way to encourage user enrollment.

 

Thanks

Derick

[La+zy]

Firstly, it appears that entering a forum search for "U2F" does not return this post.  I only found it from a Google search result, and had to enter "Derick" to find the post.

 

If this feature would allow us to use YubiKey U2F, then I second the request - it would be very convenient.  We currently us it for AWS - enter username and password, click the button on the YubiKey, you're in.

 

...or, if this feature is already available, please let me know X-/

 

Cheers

[support]

Hi La+zy,

 

Yes, our Yubikey implementation supports U2F - we were only testing it again the other day, and the press of the button is quite convenient

Regards

Click Studios

[Martin W.]

Dear Support,

 

where should we found the implementation for U2F?

There are only OATH(TOTP/HOTP) and yubico OTP, but no U2F or similar.

 

I asked some time ago, but got no answer from support

https://www.clickstudios.com.au/community/index.php?/topic/5232-full-yubikey-support-with-webauthn/

 

Best regards

[La+zy]

Thanks Martin, I was going to ask the same question.

 

Serves me right for not originally asking "if this feature is already available, please let me know where" 

 

The OATH - HOTP option works well with a YubiKey if you have a spare "slot" in the key, but I suspect U2F would be preferable.

 

Looking forward to the CS response.

 

Cheers

[support]

Hi Guys,

 

Hopefully I have not misunderstood what U2F is, with respects to Yubikey. Can you please have a look at the following:

• https://www.clickstudios.com.au/downloads/version9/Passwordstate_Security_Administrators_Manual.pdf - Page 116 and 117
• https://www.clickstudios.com.au/downloads/version9/Passwordstate_User_Manual.pdf Page 147, 148 and 149.

By using the Yubikey OTP option, we can authenticate with a click on the button as you've mentioned La+zy - it autofills the OTP on the screen.
 

Regards

Click Studios

[Martin W.]

Hey Support,

 

U2F is slightly better than Yubico OTP see https://www.yubico.com/authentication-standards/fido-u2f/

Also there is no need for any fields on the website, because the Browser communicate directly with the U2F device.

 

Best regards

[La+zy]

Yep, what Martin said.

 

Using an AWS logon with U2F as an example:

• Page 1: We enter the standard username and password, click Sign In
• Page 2: We are prompted "Insert your U2F security key into your USB port, and then tap the button or gold disk", the YubiKey flashes, we tap the button on the key and we're in

It's not a huge thing, but it would simplify the use/management of our YubiKeys, assuming PasswordState could use the same U2F credentials in the primary YubiKey "slot".

 

Cheers