Soft U2F
In an effort to increase the adoption of FIDO U2F second factor authentication, we’re releasing Soft U2F: a software-based U2F authenticator for macOS. We’ve long been interested in promoting better…
In an effort to increase the adoption of FIDO U2F second factor authentication, we’re releasing Soft U2F: a software-based U2F authenticator for macOS.
We’ve long been interested in promoting better user security through two-factor authentication on GitHub.com. Initially, we added support for TOTP-based 2FA. A few years later, we added support for FIDO U2F. U2F provides a better user experience, while overcoming several security shortcomings of TOTP. Unfortunately, U2F adoption has been low, presumably due to the need to purchase a physical device.
In order to lower the barrier to using U2F, we’ve developed a software-based U2F authenticator for macOS: Soft U2F. Authenticators are normally USB devices that communicate over the HID protocol. By emulating a HID device, Soft U2F is able to communicate with your U2F-enabled browser, and by extension, any websites implementing U2F.
The Soft U2F installer can be downloaded here and the source code can be found here. Contributions to the project are welcome.
Security considerations of hardware vs. software key storage
A USB authenticator stores key material in hardware, whereas Soft U2F stores its keys in the macOS Keychain. There is an argument to be made that it is more secure to store keys in hardware since malware running on your computer can access the contents of your Keychain but cannot export the contents of a hardware authenticator. On the other hand, malware can also access your browser’s cookies and has full access to all authenticated website sessions, regardless of where U2F keys are stored.
In the case of malware installed on your computer, one meaningful difference between hardware and software key storage for U2F is the duration of the compromise. With hardware key storage, you are only compromised while the malware is running on your computer. With software key storage, you could continue to be compromised, even after the malware has been removed.
Some people may decide the attack scenario above is worth the usability tradeoff of hardware key storage. But, for many, the security of software-based U2F is sufficient and helps to mitigate against many common attacks such as password dumps, brute force attacks, and phishing related exploits.
Written by
Related posts
Breaking down CPU speed: How utilization impacts performance
The Performance Engineering team at GitHub assessed how CPU performance degrades as utilization increases and how this relates to capacity.
How to make Storybook Interactions respect user motion preferences
With this custom addon, you can ensure your workplace remains accessible to users with motion sensitivities while benefiting from Storybook’s Interactions.
GitHub Enterprise Cloud with data residency: How we built the next evolution of GitHub Enterprise using GitHub
How we used GitHub to build GitHub Enterprise Cloud with data residency.