Implement U2F token
#1 Updated by The 2nd over 4 years ago
Some notes on U2F:
It looks like the "master key" of a U2F token is generated while manufacturing the key and cannot be regenerated by the user. Like described in the links below the reason for this are the attestation certificates. They are used to ensure that the key is not backed-up/cloned and thus the authentication service can use them to apply rules like "only allow U2F tokens from manufacturer X". This is a nice feature for everyone who wants to allow users to roll out their own tokens but want to prevent users from using insecure (e.g. software) tokens. But it also means that you have to trust the manufacturer. Currently there seems to be no way around this. But as yubico stated in the forum post below they could at least sell "un-programmed" tokens that users could load their own keys and attestation certificates to. Another and IMHO better solution would be to allow the U2F feature of the yubikey to use a second slot just like its done for the OTP/static password feature. This would allow us to use the yubikey with a trusted self created secret for your own systems without killing the manufacturer key/certs which may be needed if you want to use the yubikey with a third party that requires valid attestation certificates.