Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What is the attack scenario you feel a hardware token protects you against that a software token will not (for the use cases U2F was designed for)? Sure, hardware tokens prevent malware from actually lifting your private keys. But, to steal your software private keys you likely need malicious code running on your computer. And, once an attacker has that, it is largely game over for all intents and purposes anyway. They can ask your hardware token to sign bogus requests, steal your passwords, etc. Sure, with a hardware token you can wipe your machine and feel semi-confident that you get to keep your private keys. But, really, once your machine has been compromised and you wipe it, setting up new private keys sounds like a wise practice regardless. I'm not arguing that hardware tokens have zero use. But, for most users, the attack model where hardware tokens shine is likely not of value to them.


I may be mistaken (and I'm sure someone will point out if I am) but I think most hardware U2F tokens require you to physically press something on the token to validate that it should pass over your keys.

The soft U2F solution presented here still prompts you, but it is easier to imagine the software being modified/owned on a compromised machine than then hardware token being hacked in such a way as to hand over the keys without a physical press.


From my testing of several hardware U2F implementations, the test-of-user-presence (touching the button) unlocks the device for an amount of time. During this time multiple authentication/registration will succeed without further user interaction. Even without this behavior though, hardware tokens don't indicate which site your authenticating with. Malware could just make an authentication request right as some user action triggers a legitimate authentication request.


Once you have malicious software running it is largely game over. Sure, the hardware token can require a press..but once pressed what challenge is being signed? Malware can just wait and send a challenge for Site A when you are actually trying to sign into site B. Or, the malware can just wait until you login and steal your browser cookies. Oh, also, Soft U2F can require a similar physical touch if you have a mac with Touch ID.


Atleast for my u2f token, I'm being shown the site I'm signing for on a hardware screen.


Which device are you using? With U2F, the browser doesn't send the name of the site to the authenticator.


I'm using Trezor, I believe it has been preloaded with certain websites so it knows Github and Google and the likes.

It also shows parts of the public key (or so I believe, it is a unique identifier) per website.


Well physical presence is huge - your software-compromised token can sign infinite number of bogus token requests, where as with hardware, you'd have to be an idiot to press the button for random requests, or repeatedly; and has nothing to do with stolen passwords.

The best an attacker can do at that point is access whatever account-specific token that was 'intercepted', and use that until it expires on whatever site...which if implemented correctly won't let you make any major changes without your token press - aka, software-token just gave up your account, where hardware would have stopped it.


You can use a hardware token on multiple machines.

My bank, for example, has both your password entry and the private keys on the token. All you ever enter onto a computer or smartphone is the one time password, even when using their smartphone app.

I like my bank.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: