tl;dr: U2F is very secure. You should use it. But there are also services that force you into SMS mTAN account recovery in order to use U2F. So not setting up U2F for those services can give you better security depending on your threat model, But for the most general use cases: U2F > SMS >> no 2FA.

U2F is currently one of the strongest authentication offerings. More and more online services support it. But account security depends on the weakest way to obtain access to an account. Hence, this article goes through a threat model that takes into account that some services require you to sign into weak account recovery methods such as SMS mTAN in order to enable U2F 2FA.

Hardware and Software Used

I tested this with 2 HyperFIDO Mini (U2F Security Key) (only linked here for identification, I do not advertise these) USB dongles. These are among the cheapest U2F dongles available costing around 8€ each.

IMPORTANT NOTE: The HyperFIDO has some implementation flaws. For more information you can read Adam Langley’s evaluation, which states:

Overall, the key handle structure is sufficiently far from the obvious construction to cause worry, but not an obvious vulnerability.

I use Firefox and Chromium (because some services only allow U2F with Chrome-based browsers).

I also used the FreeOTP Android app as some services (Github cough) don’t allow you to have U2F without another 2FA method.

Goal / Threat Model

My threat model does not include

However, it includes

A main concern is also to guard against account takeover. Hence, I tried to avoid U2F in instances where it means the account could be recovered with, e.g., a much weaker SMS mTAN that some services force onto you in order to activate U2F.

U2F should also be mandatory, i.e., you should not be able to login without U2F with, e.g., a different second factor, or by deactivating U2F by resetting the password.

Thus, my goal is

WARNING: If you have ever forgotten a password for a service, don’t setup your accounts according to this evaluation. If you loose your password, you (hopefully) loose access.

U2F Support Status

I have no idea how many services I use but I have around 300 passwords (not including throwaway passwords for throwaway accounts I don’t care about).

Supporting U2F

Here is a list of common services I use that support U2F and how I protect them.

U2F mandatory (or at least can be made mandatory)

Service Recovery Forgot Password? Recommendation to attain goal
Github Recovery Codes reset link via Email Use TOTP only to setup U2F, then purge the TOTP secret
requires second factor
2FA is not reset
Google Backup Codes no recovery Remove backup email to avoid password reset via email
Google Prompt Enable only backup codes no other recovery method
Authenticator app
Voice or text message
OVH emergency codes reset link via Email Just setup 2FA with U2F
2FA is not reset
Namecheap Backup Codes no recovery Just setup 2FA with U2F
Disable all password recovery options
Twitter Backup code reset link via Email Use TOTP only to setup U2F, then purge the TOTP secret
2FA is not reset Requires SMS 2FA to activate U2F, but SMS 2FA can be removed again after adding TOTP.

Services that I don’t really care, but support U2F

Service Recovery Forgot Password? Recommendation / Thoughts
Facebook Recovery Codes reset link via Email Use TOTP only to setup U2F, then purge the TOTP secret
Email is PGP encrypted U2F only works with Chrom{e,ium}
2FA is not reset

U2F only optional

I currently have not found any services that do not allow you to configure U2F to be mandatory. There are some not common services that will only allow U2F in combination with SMS 2FA, hence, making the security depend on SMS, which is not what I want. So you should watch out for those and make a security decision based on that.

Not supporting U2F

Service Recovery Forgot Password? Recommendation / Thoughts
Cloudflare Use TOTP
Hetzner Use TOTP
Kimsufi Use TOTP Use TOTP Do not activate SMS 2FA as it will allow full account recovery via SMS

Why U2F? Isn’t SMS 2FA enough?

SMS has the following problems:

  1. SMS 2FA can be phished
  2. Your MSIDSN can easily be hijacked
  3. SMS can be intercepted via SS7

That being said, using SMS mTAN 2FA is more secure than not using any second factor at all! However, that only holds true when SMS is strictly a second factor for authentication. If activating SMS with a service allows account recover via SMS it is weaker than only having a password. You can fully control your password. While it may get phished it is still within your control to not enter your password on phishing sites, with SMS there is nothing that you can do against an attacker having your mobile phone provider issue a replacement SIM card to them.


With the services that support U2F setting it up and using it is straight forward.

Contrary to 2 years ago, all services tested will not remove the second factor when doing a password reset. Hence, I was able to secure all services the way I intended … at least the ones supporting U2F.

Unfortunately, the adoption rate of U2F is still low. Something that hopefully WebAuthn will fix.

Appendix: Notes on Individual Service Experiences

In this section I will talk about the experience with individual services.


Requires another 2FA method beside U2F. You can use TOTP.

TOTP has brute force protection and you receive a email notification if a brute forcing event was detected.

Susceptible of Github support to social engineering is not known.


Google has among the best security options. You can even disable all other account recovery methods beside U2F.

Problem: Registering a new U2F device does not work via Firefox, see However, using an already registered device works.

Make sure to uncheck Don't ask again on this computer on each login. Otherwise on subsequent logins via the same browser U2F won’t be required. This is especially important when you use a public computer (not recommended), because in that case an attacker would simply need to shoulder-surf your password.

Account takeover possible if you have a backup email address and attacker controls your U2F. Having no recovery email makes account hijacking much more difficult (i.e. upholds the requirement of two factors), Backup codes still provide a solid way back in.

Recovery email can be removed by editing it and leaving the field blank. (Warning: This may lock you out of your account if you loose your backup codes!)

Advanced Protection also works with 2 non-NFC or Bluetooth U2F dongles. Obviously, they won’t work on mobile devices. The problem with Advanced Protection is that Backup Codes won’t work.

Susceptible of Google support to social engineering is not known.


OVH’s U2F implementation is pretty much my use case.

Forgot Password sends password reset link via email. U2F or emergency codes are always required.

Susceptible of OVH support to social engineering is not known.


Requires you to give Twitter a phone number to which they send a SMS code required to start setting up 2FA.

You will receive only one Backup code. You can only use this backup code to log in once.

Can only add one U2F device.

SMS password reset codes are brute force protected.

Too many unsuccessful login attempts yield the prompt:

You have initiated too many login verification requests. Please wait an hour before trying again.

Twitter support is susceptible to social engineering. So if your email is taken over all the attacker has to do is mail Twitter support from your email and they will turn off 2FA. Hence, it doesn’t matter what you do. Your account will get compromised … eventually.


Namecheap’s U2F implementation is my use case. You can deactivate all other account recovery options besides backup codes.

Susceptible of Namecheap support to social engineering is not known.


I don’t really use Facebook. But I like their security features, such as, sending all emails PGP encrypted, or U2F.

Password resets are via PGP encrypted emails. You won’t get into the account without the PGP key, even if you control the mail account.