What is U2F?

Hey there, just one question: what exactly is U2F? What does that abbreviation mean and what is the purpose of that?

U2F stands for “Universal Second Factor”. You can read about it here.

1 Like

Hot! Is there some documentation how to use it with a Flipper Zero?

Not at the moment, but it’s really straightforward. Just connect your flipper via usb and open the app, navigate to any website that supports U2F, and from there you can add the flipper as you would any other hardware U2F token. Here’s a demo website

3 Likes

Looks great, the first step is also working (some of the time, if Flipper does not decide to break the connection within 3 seconds) but once I get through the first 2 pages (Device not verified, Unknown device ???) I end up at the Playground and then I can’t use it to sign in anymore. (This security key can not be used, please try a different one ???)

Yes, this is the right behavior.

  1. Open the demo.yubico.com website
    Part 1/2: Registration → click button [Next]
  2. If your browser is supporting WebAuthn you’ll maybe need to confirm some dialogs (Firefox at Linux does have some questions ‘the site is asking for extended information about your security key’ and ‘this site wants to create a account with your key. authorize or cancel her’).
  3. Now go to your flipper, choose ‘U2F’. Maybe the app complains ‘already connected, please disconnect first’. This happens when the Flipper is connected with qFlipper, for example.
  4. The site is waiting for confirmation. On the Flipper display you’ll see ‘(o) OK’. With a click at the middle button you are confirming you are physically available.

“Registration completed!” If you come to this point with a youbikey, some information will be provided. But the Flipper is not giving this extended information, right now. ‘Device not verified, Unknown device’ is fine at this point.

Click on the button [Authenticate].

  1. Part 2/2: Authentication
    Click on the button [Next]
  2. Again on the Flipper display ‘OK’ will appear, again with a click on the middle button you’ll confirm you are physically present.
  3. With the dropdown ‘Show technical details’ you’ll even able to see what the server and the Flipper are talking about.

In my experience, most errors are based on
a. timing. Not fast enough → Timeout
b. Forget to press the button. → Error/Timeout/whatever

The ‘Playground’ isn’t a part of the test. You need a Yubikey account to play around with the other kids. But this is a story for another time.

4 Likes

Turns out that a reset of the Flipper is needed to make the app work more reliable.
Thanks to Spildit: Idea - Implement U2F here? - #8 by Spildit

But even after the reset it’s still not reliable enough, after a minute or so it asks me to connect it to a computer while it is still connected? While this is fine for hobby / educational purposes, I can not recommend the use if Flipper to secure any personal or professional accounts. But I might be able to use it as a backup for my YubiKey.

For me, even after

sudo ./qFlipper-x86_64-1.1.3.AppImage rules install

/dev/hidraw3 device appeared as “root:root crw-------” device file, effectively blocking non-root user from using it. The entire trick worked fine after I altered the permissions manually (chmod a+rwx /dev/hidraw3 - do not do it in production, please)

Looks like udev rules need more love and care, at least for antique Ubuntu 18.04 that I have :slight_smile:

I’m not completely sure, but I don’t think you’ll need /dev/hidraw[n] to use U2F.
I have no such antique OS around me (no production environment for 3 days :wink: ), but I can check later how the flipper will be listened in U2F mode.

I do think you’ll need to start U2F first, than plug USB in. This could be an issue.

This evening I’ve got some time to play around.

The Flipper is not know by the udev. So everybody feel free to write a bug against https://github.com/snapcore/snapd/blob/master/interfaces/builtin/u2f_devices.go … to get the flipper U2F per default supported.

The manual way:

lupus@tori:~$ cat /etc/udev/rules.d/70-snap.flipper.rules 
# u2f-devices
# STMicroelectronics U2F Token
KERNEL=="hidraw*", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="5741", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", TAG+="snap_firefox_firefox"

Create this file, start ubuntu (or the PC) and replug your flipper → OK.
Maybe idVendor/idProduct needs to be adjusted. Take a look at:

lupus@tori:~$ lsusb |grep -i u2f
Bus 003 Device 007: ID 0483:5741 STMicroelectronics U2F Token

If this don’t work for you, take a look at snap connections firefox | grep u2f, should be something like u2f-devices firefox:u2f-devices -
Or ‘about:config’ in the taskbar → search for ‘webauthn’, there shout be *usb be ‘true’ …

Universal 2nd Factor is an open standard that strengthens and simplifies two-factor authentication using specialized Universal Serial Bus or near-field communication devices based on similar security counter technology found in smart cards U2F keys allow users to quickly and securely access any website or online service. To authenticate, the user simply inserts the U2F key into a USB port and then confirms their identity by pressing a button on the key . On smartphones or tablets, the key needs to be placed close to the NFC antennaU2F security keys can be used as an additional method of two-step verification on online services that support the U2F protocol, including