U2F

U2F is the acronym for Universal 2nd Factor used to secure credentials for web sites and applications. I got interested in U2F when I read an article about Google requiring U2F security keys for their employees. They contracted with Yubico (see Yubico.com) for the keys. Here is something similar to what was issued to each employee:

This key is designed to be inserted into a USB-A port. Others are designed for USB-C.

After an extended trial, Google reported that the problem with employee accounts being compromised by phishing attacks was eliminated.

Google then announced that they will begin selling their own version of a security key called "Titan". The Titan keys are made in China and the Yubico keys (called Yubikeys) are made in the U.S. and Sweden. Personally, I will not use a Chinese product that is supposed to keep hackers out of my accounts.

I purchased a Yubikey 4 NFC key from Yubico and configured it to secure my Google accounts, my password manager and other sites like Github, Twitter, etc. Later I received a Yubikey 4 (minus NFC) as a Wired magazine subscription promotion. 

The Yubikeys I have also support OATH OTP which some sites support vs. U2F. If you're familiar with setting up Time Based One Time Password 2nd Factor, then you have seen something like the following:

When setting up a new credential for an authenticator app (Yubico Authenticator or Google Authenticator for example), you are supposed to scan the QR code with a smart phone and enter a 6 digit number that the app generates. At this point the QR code disappears from the screen. If later you receive another key, lose one and replace it or change phones (Google Authenticator app) you have to go through the process of setting up new credentials for each web site that uses OTP. Fear not, there is a trick I learned that avoids the hassle. When the QR code is displayed on the screen, capture the screen (Alt-PrtSc) and save the screen as a file. I like to bring up the image in an image editor and crop out everything except the QR code. Save the file with the name of the web site, e.g. Twitter.png. When you are ready to set up credentials on another security key, just move the file to an open Chrome web browser tab, run Yubikey Authenticator (move it off to the side so you can see the entire QR code), select File > Scan QR code... and just like magic, the app scans the QR code and creates a new credential (don't forget to save the credential). The same thing applies to the Google Authenticator app. When the QR code is displayed on the screen, just scan it with your phone and you're all done.

I save all my QR code images to a thumb drive and store it in a gun safe along with spare Yubikeys.