tl;dr: U2F is very secure. You should use it. But there are also services that force you into SMS mTAN account recovery in order to use U2F. So not setting up U2F for those services can give you better security depending on your threat model, But for the most general use cases: U2F > SMS >> no 2FA.
U2F is currently one of the strongest authentication offerings. More and more online services support it. But account security depends on the weakest way to obtain access to an account. Hence, this article goes through a threat model that takes into account that some services require you to sign into weak account recovery methods such as SMS mTAN in order to enable U2F 2FA.
I tested this with 2 HyperFIDO Mini (U2F Security Key) (only linked here for identification, I do not advertise these) USB dongles. These are among the cheapest U2F dongles available costing around 8€ each.
IMPORTANT NOTE: The HyperFIDO has some implementation flaws. For more information you can read Adam Langley’s evaluation, which states:
Overall, the key handle structure is sufficiently far from the obvious construction to cause worry, but not an obvious vulnerability.
I use Firefox and Chromium (because some services only allow U2F with Chrome-based browsers).
I also used the FreeOTP Android app as some services (Github cough) don’t allow you to have U2F without another 2FA method.
My threat model does not include
However, it includes
A main concern is also to guard against account takeover. Hence, I tried to avoid U2F in instances where it means the account could be recovered with, e.g., a much weaker SMS mTAN that some services force onto you in order to activate U2F.
U2F should also be mandatory, i.e., you should not be able to login without U2F with, e.g., a different second factor, or by deactivating U2F by resetting the password.
Thus, my goal is
WARNING: If you have ever forgotten a password for a service, don’t setup your accounts according to this evaluation. If you loose your password, you (hopefully) loose access.
I have no idea how many services I use but I have around 300 passwords (not including throwaway passwords for throwaway accounts I don’t care about).
Here is a list of common services I use that support U2F and how I protect them.
| Service | Recovery | Forgot Password? | Recommendation to attain goal |
|---|---|---|---|
| Github | Recovery Codes | reset link via Email | Use TOTP only to setup U2F, then purge the TOTP secret |
| requires second factor | |||
| 2FA is not reset | |||
| Backup Codes | no recovery | Remove backup email to avoid password reset via email | |
| Google Prompt | Enable only backup codes no other recovery method | ||
| Authenticator app | |||
| Voice or text message | |||
| OVH | emergency codes | reset link via Email | Just setup 2FA with U2F |
| 2FA is not reset | |||
| Namecheap | Backup Codes | no recovery | Just setup 2FA with U2F |
| Disable all password recovery options | |||
| Backup code | reset link via Email | Use TOTP only to setup U2F, then purge the TOTP secret | |
| 2FA is not reset | Requires SMS 2FA to activate U2F, but SMS 2FA can be removed again after adding TOTP. |
| Service | Recovery | Forgot Password? | Recommendation / Thoughts |
|---|---|---|---|
| Recovery Codes | reset link via Email | Use TOTP only to setup U2F, then purge the TOTP secret | |
| Email is PGP encrypted | U2F only works with Chrom{e,ium} | ||
| 2FA is not reset |
I currently have not found any services that do not allow you to configure U2F to be mandatory. There are some not common services that will only allow U2F in combination with SMS 2FA, hence, making the security depend on SMS, which is not what I want. So you should watch out for those and make a security decision based on that.
| Service | Recovery | Forgot Password? | Recommendation / Thoughts |
|---|---|---|---|
| Cloudflare | Use TOTP | ||
| Hetzner | Use TOTP | ||
| Kimsufi | Use TOTP | ||
| mastodon.social | Use TOTP | ||
| Amazon.de | Do not activate SMS 2FA as it will allow full account recovery via SMS |
SMS has the following problems:
That being said, using SMS mTAN 2FA is more secure than not using any second factor at all! However, that only holds true when SMS is strictly a second factor for authentication. If activating SMS with a service allows account recover via SMS it is weaker than only having a password. You can fully control your password. While it may get phished it is still within your control to not enter your password on phishing sites, with SMS there is nothing that you can do against an attacker having your mobile phone provider issue a replacement SIM card to them.
With the services that support U2F setting it up and using it is straight forward.
Contrary to 2 years ago, all services tested will not remove the second factor when doing a password reset. Hence, I was able to secure all services the way I intended … at least the ones supporting U2F.
Unfortunately, the adoption rate of U2F is still low. Something that hopefully WebAuthn will fix.
In this section I will talk about the experience with individual services.
Requires another 2FA method beside U2F. You can use TOTP.
TOTP has brute force protection and you receive a email notification if a brute forcing event was detected.
Susceptible of Github support to social engineering is not known.
Google has among the best security options. You can even disable all other account recovery methods beside U2F.
Problem: Registering a new U2F device does not work via Firefox, see https://bugzilla.mozilla.org/show_bug.cgi?id=1409573. However, using an already registered device works.
Make sure to uncheck Don't ask again on this computer on each login. Otherwise on subsequent logins via the same browser U2F won’t be required. This is especially important when you use a public computer (not recommended), because in that case an attacker would simply need to shoulder-surf your password.
Account takeover possible if you have a backup email address and attacker controls your U2F. Having no recovery email makes account hijacking much more difficult (i.e. upholds the requirement of two factors), Backup codes still provide a solid way back in.
Recovery email can be removed by editing it and leaving the field blank. (Warning: This may lock you out of your account if you loose your backup codes!)
Advanced Protection also works with 2 non-NFC or Bluetooth U2F dongles. Obviously, they won’t work on mobile devices. The problem with Advanced Protection is that Backup Codes won’t work.
Susceptible of Google support to social engineering is not known.
OVH’s U2F implementation is pretty much my use case.
Forgot Password sends password reset link via email. U2F or emergency codes are always required.
Susceptible of OVH support to social engineering is not known.
Requires you to give Twitter a phone number to which they send a SMS code required to start setting up 2FA.
You will receive only one Backup code. You can only use this backup code to log in once.
Can only add one U2F device.
SMS password reset codes are brute force protected.
Too many unsuccessful login attempts yield the prompt:
You have initiated too many login verification requests. Please wait an hour before trying again.
Twitter support is susceptible to social engineering. So if your email is taken over all the attacker has to do is mail Twitter support from your email and they will turn off 2FA. Hence, it doesn’t matter what you do. Your account will get compromised … eventually.
Namecheap’s U2F implementation is my use case. You can deactivate all other account recovery options besides backup codes.
Susceptible of Namecheap support to social engineering is not known.
I don’t really use Facebook. But I like their security features, such as, sending all emails PGP encrypted, or U2F.
Password resets are via PGP encrypted emails. You won’t get into the account without the PGP key, even if you control the mail account.