So, there’s this cool thing called U2F, for Universal 2nd Factor, a dead simple second authentication method in the form of a physical token (I’m using a Yubikey Neo, but that’s not specially relevant to we’ll be talking about here as it should apply to any security key).
To put in simpler term: with U2F to log in to a website you need the password and a physical doodad plugged in the computer. No doodad, no access. Sorry evildoers.
The idea being that while it’s possible to steal credentials (login and password), if you need also a physical thing, then just the credentials on their own are not useful.
With “trust-us-because-we-run-a-super-advanced-global-scale-Internet-infrastructure” companies like Facebook storing hundreds of millions of credentials in the clear (good job Facebook, no, really), it makes sense to use something that can’t just be stolen over the Internet.
So enabling U2F wherever you can is a good idea (as is having multiple physical security keys, as you will lose one or have it stolen).
Just show me how and stop blabbering
Fair enough. Let’s look at how to enable U2F security keys on Github in April 2019.
First of all, you’ll need to go to your Github account’s security settings and enable Two Factor Authentication (or 2FA as we cool kids call it, yo.). Github currently forces you to enable another 2FA method first, either SMS (erk) or TOTP (yes), so you’ll have to do that first. (Hint: you can use decent, FOSS apps to do TOTP on your phone).
Unfortunately for us, U2F is not enabled by default in current versions of Firefox (66.0.1 as i write this).
Luckily, it’s very simple to enable however, visiting `about:config`, searching for “U2F” and setting the following to true:
Security.webauth.U2F = true
More disheartening is the fact that even with this setting enabled, Github won’t let you add a key to your account, insisting instead that you “update to the latest version of Google Chrome”.
Not going to do that.
Instead, you can simply use Firefox’s developer tools to unhide the button that lets you add a security key.
To do so, open the Developer Tools (hitting F12 will do nicely) and in the Inspector, search HTML for:
You should find a div element with a CSS display set to “none”, as shown in the CSS viewer (located to the bottom or to the right of the main inspector pane, depending on if your dev tools ar docked to the right or to the right, respectively).
Then, just untick the box next to “display: none;” and the “Register new device” button will appear.
The following screenshot might help:
After that, everything works as you’d expect: you click the button, plug your key in, touch its button if it has one, give it a name to recognise with on Github, and you’re done.
Good, one less website to authenticate to without 2FA.