DO Ideas 2

FIDO U2F Authentication

YubiKey released their U2F standard (Universal 2nd Factor) hardware key which allows single touch two factor authentication for products and services.

The current software two factor authentication is really great, however, U2F is far easier and involves a single touch to activate and record. This should be a layered approach giving users with U2F enabled the fallback of 2FA via software token. Google has this implemented already and it's very simple to use.

More Information:

https://sites.google.com/site/oauthgoog/gnubby
https://www.yubico.com/applications/fido/

  • Zach Queal
  • Sep 11 2018
  • Attach files
  • Jeremy commented
    September 11, 2018 17:12

    I would be very interested in seeing this feature implemented.

  • Anonymous commented
    September 11, 2018 17:12

    When can we see this implemented?

  • TwiN commented
    September 11, 2018 17:12

    +1 We definitely need this. U2F is becoming increasingly popular in major companies, and with WebAuthn being implemented in all major browsers (except Safari, but well, no surprises here), this should be implemented as soon as possible.

  • Jacob Copeland commented
    September 11, 2018 17:12

    I would like to throw my support behind u2f. Started switching over to it, and what its amazing.

  • Jonathan Fisher commented
    September 11, 2018 17:12

    SMS Authentication is quite dangerous... It's an unsecured channel with no delivery guarantees that's intentionally open to intercept. Please switch to U2F

  • Dmitry commented
    September 11, 2018 17:12

    +1 U2F support would be really awesome.

  • Anonymous commented
    September 11, 2018 17:12

    +1 U2F please

  • Øyvind Bye Skille commented
    September 11, 2018 17:12

    U2F has now evolved into the webauthn standard as defined by W3C
    https://www.w3.org/2018/04/pressrelease-webauthn-fido2.html.en
    It will have support from both Chrome, Firefox and MS Edge. There is work ongoing for Safari, but no public statement about support yet https://caniuse.com/#search=webauthn

    It will work with security keys already out there in people's pockets.

    Here is some info on the tech and code needed https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
    And here is a demo implementation made by Duo security https://github.com/duo-labs/webauthn

  • Jacob commented
    September 11, 2018 17:12

    +3 Agreed would really be nice

  • Taras Kornichuk commented
    September 11, 2018 17:12

    would be nice

  • Troy Spradling commented
    September 11, 2018 17:12

    YES. Please!

  • Anonymous commented
    September 11, 2018 17:12

    +3 Great for anyone who is serious about security at all and can be much more convenient than a software option.

  • Fotis Loukos commented
    September 11, 2018 17:12

    U2F has become an industry standard and has been adopted by multiple vendors. There are devices that work with different hardware, like BLE (e.g. the u2f token from Feitian) and NFC tokens (e.g. Yubikey NEO) which would be a nice feature. Furthermore, 2FA web authentication developments concern mostly U2F, so it would be a really nice feature.

  • Michael Berneis commented
    September 11, 2018 17:12

    +1 for U2F key (I am using my trezor)

  • Anonymous commented
    September 11, 2018 17:12

    +1 for U2F/Yubikey

  • Dmitry Golub commented
    September 11, 2018 17:12

    +1. It would be great.

  • Lukas Michanek commented
    September 11, 2018 17:12

    It's quite surprising that this isn't supported already.

  • Aaron Kulbe commented
    September 11, 2018 17:12

    Another vote for Yubikey.

  • Michael Schwartz commented
    September 11, 2018 17:12

    OTP and SMS are phishable. SMS is very human-hackable (if you can trick the phone company to assign the number to a new SIM).

    OTP has a 3% failure rate--so you are just passing the cost of non-productivity over to your customer.

    So worse security, worse usability... what exactly do you love about OTP and SMS?

  • Michael Schwartz commented
    September 11, 2018 17:12

    +1

  • Sam Atman commented
    September 11, 2018 17:12

    /please/ add this functionality. It's going to be a business requirement for us Q1 2018.

  • Morthawt commented
    September 11, 2018 17:12

    Yes, please implement this U2F. I love the standard one with the QR scan to set up an app but an additional U2F would be great, as I have with google. I use my U2F when I have the right browser and if it fails or what ever i can use codes from my phone app. I highly support this idea and have used all of my points in this idea.

  • Anonymous commented
    September 11, 2018 17:12

    please support!. there are multiple devices emerging that support u2f.

  • Charles Heywood commented
    September 11, 2018 17:12

    Would be a great idea, and there's now even more reference implementations to look at for help if needed. The entire Hashbang, Inc. team as well as myself would love this addition.

  • Shane commented
    September 11, 2018 17:12

    +1 for YubiKey

  • Anonymous commented
    September 11, 2018 17:12

    +3 FIDO U2F is by far the best 2FA implementation I've encountered. Google, Dropbox, Facebook all support it. AFAIK, DO would be the first hosting service to adopt.

  • Camilo commented
    September 11, 2018 17:12

    What would cost for DO to have Yubikey? Have you run a survey asking your users about it?

  • NickM commented
    September 11, 2018 17:12

    +1 for yubikey

  • Piotr Włodarek commented
    September 11, 2018 17:12

    We all have YubiKeys at the company and use them extensively. We are missing U2F support for the most important thing: the infrastructure we run on top of DigitalOcean.

  • Terry commented
    September 11, 2018 17:12

    Please add the U2F / YubiKey support for DO accounts.

    +1

  • Matt commented
    September 11, 2018 17:12

    Any time table on this feature? I'm not certain about how many of your customers are developers/software engineers, but many other tools (one being Github) already have YubiKey U2F implemented.

  • Anonymous commented
    September 11, 2018 17:12

    +1

  • Igor Khomyakov commented
    September 11, 2018 17:12

    +1

  • Jay Holtslander commented
    September 11, 2018 17:12

    +3 votes

  • Anonymous commented
    September 11, 2018 17:12

    Yes, definitely interested in this!

  • Anonymous commented
    September 11, 2018 17:12

    +1 Yes please

  • L commented
    September 11, 2018 17:12

    Are you waiting for more votes? You won't get too many more votes because U2F users are a small minority. Not enough service providers support U2F, so not enough people don't buy U2F devices.

    You should go ahead and support U2F now. By doing so you will be causing more people to buy U2F hardware. Then they will come back and vote here, and you can get as many votes you're currently waiting for.

  • Ratler commented
    September 11, 2018 17:12

    +1 for U2F and the upcoming webauthn in which U2F is a subset.

  • Anonymous commented
    September 11, 2018 17:12

    +1 for Yubikey U2F.

  • Anonymous commented
    September 11, 2018 17:12

    +1 yes looking forward for this implementation

  • Anonymous commented
    September 11, 2018 17:12

    "Github, Gmail, and Facebook all support both Google Auth and Yubikey.... Digital Ocean can't? Would be awesome to have a hardware token :/" - Tavis Beck

  • Anonymous commented
    September 11, 2018 17:12

    +3 Will be a great security addition!

  • Anonymous commented
    September 11, 2018 17:12

    U2F/Yubikey support would be welcome, particularly when stuck in situations where one is traveling and access to anything Google is block (while working in China for example).

  • amnesia commented
    September 11, 2018 17:12

    +3 We need this ASAP.

  • Ackermann Yuriy commented
    September 11, 2018 17:12

    +3 Facebook could! DO can better!

  • Ackermann Yuriy commented
    September 11, 2018 17:12

    +3 Do it DO! JUST DO IT!

  • Serg Chernata commented
    September 11, 2018 17:12

    +1, it's a much more seamless process than Google Authenticator or SMS.

  • Jose commented
    September 11, 2018 17:12

    +1 That would be great!

  • Pavel commented
    September 11, 2018 17:12

    That would be great!

  • Anonymous commented
    September 11, 2018 17:12

    Plenty of websites have implemented hybrid 2FA solutions, it's been stated that many DO developers use YubiKeys, and forcing people to use GA to get 2FA is becoming more and more of a problem.

  • Anonymous commented
    September 11, 2018 17:12

    This was previously declined here, but I hope you'll take another look:https://digitalocean.uservoice.com/forums/136585-digitalocean/suggestions/4338890-yubikey-two-factor-auth

    Could you not implement U2F in addition to Google Authenticator or SMS?

  • Brian Sherwood commented
    September 11, 2018 17:12

    Please implement, U2F would be a great option.

  • jokaro commented
    September 11, 2018 17:12

    This would be really great

  • Joonas Kuorilehto commented
    September 11, 2018 17:12

    U2F is much more convenient and secure than a software authenticator. I have already something like 10 number based tokens where with U2F only one token is sufficient for all services.

  • Antonios Chariton commented
    September 11, 2018 17:12

    Also want this. Good for enterprise users who are serious about security.

  • Ravi kiran commented
    September 11, 2018 17:12

    Yes please, that would help a lot, Please do it.