+4
Planned

Support for U2F USB tokens as additional 2FA method

Michel Meyers 8 months ago • updated by 5b895086 8 months ago 7

Please support FIDO U2F tokens as second factor for two-factor authentication, ideally as an additional option to TOTP/Google Authenticator so that users can chose to use the latter if the former isn't accessible. (e.g. on mobile, where USB-only U2F tokens can't be used)

A library you could use can be found here:

https://github.com/Yubico/php-u2flib-server

Not necessarily. Yubico makes U2F compliant keys, but also has their own authentication methods (like the Yubico OTP implementation proposed in the linked feature request). FIDO U2F is an open standard backed by the FIDO alliance (https://fidoalliance.org/participate/members/) and thus other manufacturers also make U2F keys. (See Amazon for an example selection: https://www.amazon.fr/s/ref=nb_sb_noss?__mk_fr_FR=%C3%85M%C3%85%C5%BD%C3%95%C3%91&url=search-alias%3Daps&field-keywords=u2f)


I do believe most Yubico keys support U2F (at least if this table can be believed https://www.yubico.com/products/yubikey-hardware/ ) as they are a big proponent of the standard (which is probably also why they wrote the linked PHP library for it).

I think I could take benefice of this page => https://developers.yubico.com/U2F/


It provides php classes for U2F. Seems to be generic.

Yes. The PHP library linked from there should be the same one I linked to in the original post. (That github repo also includes examples.)

Yubicos YubiKeys do offer U2F. However it requires one of the following tokens YubiKey 4, YubiKey 4 nano, YubiKey 4C, YubiKey NEO or FIDO U2F Security Key. Any other YubiKey does not provide U2F. All YubiKeys (except for the FIDO U2F) provide static passwords, OTP, OATH – HOTP (Event), OATH – TOTP (Time).
I'm currently using a YubiKey with a static password in combination with my memorized passphrase. Strictly that is no real 2 factor authentication, but provides a nice and long password with a very good entropy. It is an easy way to strengthen security without modifying the source code ;)

BR

Andy

+3
Planned

I've received my yubiko key.

I will implement FIDO U2F in 2.1.28

Hello Nils,

as I have seen you already implemented Google Authenticator and Duo Mobile. I have been playing around with Duo Mobile a little bit. It works quite well. There is some kind of hicup sometimes which lies within the Duo Mobile code. Duo Mobile is a nice little thing that needs an user account (there are free accounts that are limited so companies are driven to paid accounts). After signing in at Duo Mobile, you can add for Teampass as an application a Web SDK and are presented with two keys an an hostname-api. These two keys you insert in the corresponding fields within Teampass admin-area and create a Teampass-specific application key. After saving, you are ready to go. Prepare your mobile devices (Android, iOS) with installing the free Duo Mobile app. You can edit the Policies within Duo Mobile to enable Self Service - so you are able to add as many devices to a user.

Duo Mobile enables a 2 factor authentication with many different methods:

- Duo Mobile Push Message (your device needs to be online)

- Duo Mobile Passcode (works even offline)

- SMS Passcodes

- Hardware Token OTPH/TOTP/Yubikey AES

- Fido U2F


Best regards

Andy