Feature #64

Implement U2F token

Added by The 2nd almost 5 years ago. Updated over 4 years ago.

In Bearbeitung
Target version:
Start date:
17 December 2015
Due date:
% Done:



  • Add generic U2F token
  • Implement deployment with OTPme client tools

U2F Specs:
Example server:
Example client:


Feature #66: Allow usage of U2F token as second factor token with "password" tokensIn BearbeitungThe 2nd


#1 Updated by The 2nd almost 5 years ago

Some notes on U2F:

It looks like the "master key" of a U2F token is generated while manufacturing the key and cannot be regenerated by the user. Like described in the links below the reason for this are the attestation certificates. They are used to ensure that the key is not backed-up/cloned and thus the authentication service can use them to apply rules like "only allow U2F tokens from manufacturer X". This is a nice feature for everyone who wants to allow users to roll out their own tokens but want to prevent users from using insecure (e.g. software) tokens. But it also means that you have to trust the manufacturer. Currently there seems to be no way around this. But as yubico stated in the forum post below they could at least sell "un-programmed" tokens that users could load their own keys and attestation certificates to. Another and IMHO better solution would be to allow the U2F feature of the yubikey to use a second slot just like its done for the OTP/static password feature. This would allow us to use the yubikey with a trusted self created secret for your own systems without killing the manufacturer key/certs which may be needed if you want to use the yubikey with a third party that requires valid attestation certificates.

#2 Updated by The 2nd almost 5 years ago

  • % Done changed from 0 to 30

#3 Updated by The 2nd almost 5 years ago

  • % Done changed from 30 to 70

Implemented first working version that can be used to do OTPme realm authentication.

  • Checking U2F counter needs to be implemented
  • Current version misses offline login possibilities

#4 Updated by The 2nd almost 5 years ago

  • Status changed from Neu to In Bearbeitung
  • % Done changed from 70 to 80
  • Implemented counter check using the token counter mechanism for synchronization between nodes/hosts

Also available in: Atom PDF