I have an account with a large financial firm (to remain nameless) which has gotten on the two factor authentication bandwagon for customer access to their web site. A good idea, except, their big push is for a code sent by SMS (which according to recent news has worse vulnerability that a home router.) Their second option is a recording played to a land line phone. This has hijack capability built in - known as call forwarding. And the final option is U2F with a yubikey. And for my question...

Said financial institution is not Linux aware. While much of their infrastructure probably runs on Linux, when I call to report an issue on their web site (such as their link to yubico.com via their "you are leaving our site" warning page being broken) their "technical support" persons blame it on the fact that I am running Linux on my workstation. They have no idea if I can use a yubikey on my Linux machine to connect to their web site.

Q: If a web site can be accessed by the Chrome browser with the expectation that the Chrome browser will obtain U2F credentials from a yubikey and pass them back to the web site... should it matter what OS the Chrome browser is running on?

My searching has found a lot of detailed information about using U2F for controlling access to Linux machines, integrating with various Linux security regimes, dealing with Selinux isues etc. but nothing so simple as being a "civilian" user on a Lunux machine trying to access a U2F secured website.

TIA,

Ken

It shouldn't matter what OS you're on but it probably will :-/. I'm not paranoid, and haven't the energy to worry about technically possible breaches. I'm sure if someone like the NSA thought I was worth hacking, they would get there by means I'm not aware of, even though I try to keep abreast of the big security breaches. Mind you, I'm in a backwater and not sitting on a fortune.

Thanks business_kid,

You are probably correct. From reading the financial institution's web site I learned that some piece of "software" must be downloaded to allow the security key to be used. If this is a Chrome browser addon I might be in business. If it is an .exe - well that smells of Windoze. I think I will start through the signup process and see what downloads. No sense purchasing a key unless there is at least a chance of it working.

Ken

Just a quick update...

The Yubico Security Key works just fine on Linux with the "large financial institution's" web site from my Linux machines. On Ubuntu Mate 16.04 (Raspberry Pi 3B+) and 18.04 on an Intel box the process was seamless. On CentOS 7.5 I had to add a udev file as shown on the Yubico site https://support.yubico.com/support/s...key-with-linux The referenced udev file was NOT present on Ubuntu but it worked anyhow(?)

The only issue I had was when I left the key in the USB slot after logging into the web site. In one case - Google Chrome on CentOS 7.5. - I allowed the site to time me out, closed the browser and powered down the test PC. Later I booted it back up, called up Chrome and found that I WAS STILL LOGGED IN Might have been something to do with the Chrome settings which I had left as installed.

The other issue, which happens on all machines and on Windoze... If the key is left in and I log out and try to log back on, my credentials are no longer recognized. So as long as I pull the key after a successful logon - I am good to go.

For what it is worth... if I could successfully run the "register" test on Yubico's site https://demo.yubico.com/u2f then that machine would connect to the financial web site.

Ken