I'd love to see FIDO U2F as a method for two factor authentication. Implementation is pretty straightforward, and increases security dramatically.
Could you please add some information/docs on this method? I am unfamiliar with it.
The specifications can be found here. There is a C# server library which can be of use. I'm totally inept to add this unfortunately as I don't posses any C#/.NET skill.
What type of device is normally used for this?
Normally for a web login, as it is a physical key (for example this one).
Ok cool, so it's the YubiKey thing I have heard about. Is there a test key that can be used for implementation or do I need to buy one?
Well you got this one, but it's a JavaScript implementation. Not sure there is C# variant.
It doesn't need to be C#. Anything will do.
Just use the JavaScript library then, as it's solid.
I have a Yubikey and would like to contribute. Can I jump in here?
If you would like to contribute you are more than welcome to. Join our gitter if you need any help getting started: https://gitter.im/bitwarden/Lobby
Yubikey authorization would be amazing
BTW firefox has a FIDO U2F emulator built into it - makes testing easy
https://bugzilla.mozilla.org/show_bug.cgi?id=1065729
search for webauth.u2f
+1 for YubiKey support. Any status updates?
This is planned fro release with our premium memberships which we hope to have out this summer.
I ordered my Yubikey NEO today so I'll start playing around with it soon.
I don't see a good way to support U2F at this time. It seems it is only possible to make it work on web browsers (chrome). How would we handle other clients such as Android/iOS?
I am planning to implement YubiKey OTP, however. iOS appears to still be out of the question there though since NFC support is lacking.
iOS 11 seems to include full NFC support, so it'll be possible later on this year. (NFC chips were already widely available as it's the underpinnings of Apple Pay, but the APIs weren't exposed to 3rd party developers. That is what seems to be changing, IIUC.)
Android and iOS support of U2F will require some sort of library that can read the NFC signal from the Neo, or Bluetooth LE for future planned devices, and do the regular handshake. Web browsers implement handling that protocol over USB and were the first to widely deploy it so that's where most of the current tutorials focus on but U2F isn't solely browser-centric.
For an example of Android, Google implemented U2F support as part of Google Authenticator. It's open source and on Github so that might be a place to start. Reading some blog posts implies that there will be an intent other apps can use to handle the U2F protocol for them? But I don't see the source code for the U2F-over-NFC handling, so that's a bummer.
edit: Seems like there are at least a couple of demo applications (Ledger's, Yubico's) for Android & U2F, so there's some public code to start off with.
I've got U2F configuration and authentication working with the web vault now. I'm still a bit in the dark about if/how this will be possible to work with the browser extension (lack of HTTPS protocol), Android (lack of implementation example), and iOS (lack of implementation example).
This is done for next release and will be available in the web vault and browser extensions where browser support is available.
Most helpful comment
I've got U2F configuration and authentication working with the web vault now. I'm still a bit in the dark about if/how this will be possible to work with the browser extension (lack of HTTPS protocol), Android (lack of implementation example), and iOS (lack of implementation example).