0

I have successfully used my YubiKey to get my Chrome and Firefox browsers to get my 2-step verification to work with my Google account.

Unfortunately, I have a few Windows applications which I cannot get to work with my key. I enter in my user name in screen 1, password in screen 2, and then I get third the key step:

U2F prompt screen 3

I am never able to get this window to recognize my key. I can't even figure out what browser is being used for this authentication. My understanding is that Windows' Internet Explorer 11 does not support FIDO or U2F, so I tried disabling Windows Internet Explorer in hopes it would switch the back end to Edge which might work better. It did not.

What can I do to get these applications and others with a similar interface and prompt to recognize my key? If that is not possible, why? Further, if it is not possible, short of leaving 2-step verification, what alternatives are available?

The Windows Mail Application is an example of such an application (this gives a message saying "You can only use your security keys with Google Chrome." Another example of such an application is UpSafe's Free Gmail Backup which takes me to the U2F prompt screen image above.

One of my devices is a Feitian MultiPass FIDO. The other is a Yubico U2F FIDO USB key.

Peter Mortensen
  • 12,326
BKay
  • 101

1 Answers1

1

The built-in Windows Mail application doesn't have the necessary handlers for FIDO authentication, so that one makes sense. (Also, a persistent mail application isn't something that you'd use with MFA since it needs to be able to run even when you and your token aren't around). For this purpose I'd recommend you set up an App Password just for the Mail app on the trusted device.

It looks like UpSafe (who, shame on them, have literally zero published documentation at their site) is using a browser to make a login call and then running in an isolation context. It is a decent idea, but the wrong way to do security; as an external service performing operations on your behalf, they should use OAuth tokens.

The idea with security and a un-/semi-trusted third-party provider is that they shouldn't ever have access to your passwords (which would let them operate as you, with full control of the account) and instead they should have permissions granted to them by you for only the specific items they need (read mail, contacts, etc., but not modify or create). That's where the OAuth comes in.

UpSafe, it seems (I really wish they'd publish documentation, so I could speak about this with more precision), has yet to implement that type of security. If instead they are asking for an interactive login it would indicate that they are saving your password and using your credentials to access the account (personally, that is a "run away" sign). Since your saved credentials don't work without the 2FA key, then they re-prompt you the same was as if you'd changed passwords on them. Rinse. Repeat.

In both circumstances, your issue isn't with Google authentication or the YubiKey. It is with the application performing the login. And, that neither of these use cases actually work with MFA (they require constant, user-not-present access in order to function properly).

In the case of the Mail application installed on your laptop, it makes sense -- the way a mail application works isn't conducive to MFA and should be setup with an App Password (it isn't a third-party provider doing the access on your behalf, it is still you; but it needs access all the time, even without your key present).

In the case of UpSafe it seems that (pure speculation without any documentation) they are storing and reusing the password (grumble). They are an external third party and really should be using OAuth, but if you trust them and don't mind giving them full access to your account, you can use an App Password for them as well.

Peter Mortensen
  • 12,326
Ruscal
  • 624