U2F Support - Modern Smart Card

[JoelAtMicron21]

Hello PasswordState Team,

 

Long time user, first time poster. We've used ClickStudios Passwordstate since like 2015 or maybe even earlier. It's great, we love it, and live by it.

 

We want to make our lives easier, and also more secure by employing MFA, and we have a preference to use Hardware tokens. The industry standard at the moment is U2F. This was previously requested but since archived/closed. We would like to +1 this request (plus all the exisitng posts requesting it on this original thread - Re-Requesting as it was closed/archived:

 

As Martin W quite elegantly put it: "U2F is slightly better than Yubico OTP see https://www.yubico.com/authentication-standards/fido-u2f/"

 

The benefits of U2F are that a user can self-enroll, and reduces the administration/overhead of an organisation managing hardware tokens. It has all the benefits of hardware tokens, without the hassle of Yubikey's software enrollment, and without the limitations of using up a "yubikey's slot". In this way, it behaves more like an authenticator app, than a specific and singular public key. Most yubikeys only have one or two slots for OTP, but can be used as a U2F device without limit.

 

Ultimately, we want to enable hardware-token MFA for our password vault

* at a minimum, at login, but if possible:

* ideally, when requesting access to view "more secure" password lists.

This means that for some users, they can authenticate with just a username and password, and for more secure lists we can add other authentication requirements, not too disimilar to the PIN method password state already supports.

 

Consider the user story:

# As a user, I want a simple authentication process, but a secure hardware token for the most secure lists

I go to https://passwordstate.mycompany.com and log in with my credential. I can view the lists I need unprivileged access to.

My passwordstate administrators have set up more secure lists that require further authentication - for example, they require a PIN. This is troublesome as I need to request to pin, wait for the email, and enter the PIN. If my session times out and I come back to this screen, the system will email me another PIN.

 

It would be easier if I could tap my hardware key.

 

Please let me know if you need any more information.

 

 

[IT Division]

+1

[Goossens]

+1

FIDO U2F is important, but FIDO2 with passwordless logins should not be ignored either.

The best choice is probably to add support for WebAuthn to PasswordState. As I understand it, this would allow the use of U2F devices as a 2nd factor as well as FIDO2 devices for passwordless login. This includes Passkeys, Yubikeys, Windows Hello and others. Platform support for WebAuthn is very good nowadays.

Refs:

• https://fidoalliance.org/fido2-2/fido2-web-authentication-webauthn/
• https://www.nitrokey.com/blog/2022/fido2-webauthn-passkeys-2022-and-2023
• https://support.yubico.com/hc/en-us/articles/360016615020-Operating-system-and-web-browser-support-for-FIDO2-and-U2F

Related:

 

[YawnBros]

+1

[chrisw]

Another +1

U2F is now the accepted standard and allows users to easily self subscribe to the system without the need to register with the Yubi API

(It also means that you are specifically tied to Yubikeys (which are expensive)   

 

Any Fido2 key which has U2F can be used straiht out of the box with most other browser based services these days