FIDO U2F on Mac and iOS Demystified

The Multipass works with most computers and mobile devices

I will be posting multiple articles about securing consumer and enterprise Google environments in the next few months, and I will start with a relatively simple, yet very important first step: Using FIDO U2F keys for multi-factor authentication, on consumer accounts, with Advanced Protection.

If it sounds complicated, well, the great news is that it is fairly straight forward, and compatibility has greatly improved in the last year, especially on iOS.

Why do we need U2F? Well, sufficiently advanced attackers could get you to leak a second-factor code, or could social engineer your phone company into getting your phone number redirected to their SIM, or break into your voicemail. As such, SMS or TOTP/code based 2FA makes attacks much more complicated, but it does not make phishing attacks impossible. Using a hardware security key, however, makes it impossible for the user to accidentally leak the second factor. Google themselves state that successful phishing has completely stopped for them since they started enforcing the use of security keys.

U2F, once configured, is also very user friendly, does not require a cellphone with SMS capabilities, which is unsafe AND annoying, and does not change your day to day workflow on mobile devices.

In this post, we will enable UF2, Advanced Protection, and connect to the account with a regular PC/Mac browser, as well as with Google and OEM Apps from an iOS device.

If you wish to retain full compatibility with all 3rd party clients, you can simply add the U2F keys as “additional Second Step” methods. This will not protect you from all the vulnerabilities the other options have, but it will improve security by simply making sure you use the other methods as infrequently as possible. All other MFA capabilities will remain enabled, and recovery will be unchanged.

What you’ll need

  • A consumer Google account (G Suite Accounts will be covered in a future post, as they do not support Advanced Protection directly)
  • A system with the full Chrome browser (Mac, PC or ChromeOS)
  • A device running iOS
  • Two U2F Keys that work with your different systems

U2F Keys

Different keys exist, with a lot of different features. For the purpose of this article, we do not need keys with advanced functionality, like OpenPGP, TOTP features, etc. All we need are U2F certified keys that work with the systems you are using, which means they must support the right interface. You will need at least two. Remember, Google is not the type of company that would let you walk into a customer service office for recovery, and the whole point of this is to make your Google account hard to steal, so you do not want to lose all U2F keys linked to that account.

  • PC/Mac/ChromeOS: USB-C and USB-A options exist, with or without a cable. I prefer the small ones you can leave in a laptop all day without a wire. A very functional, super cheap basic key I have found, bought for about $10 and am using to write this post is the HyperFIDO Mini (U2F Security Key). A higher-end option with support for other protocols, such as OpenPGP and SmartCard support, would be a Yubikey 4 Nano or 4C Nano for that clean look on USB-C laptops.
  • iOS: iOS only recently started allowing NFC access via APIs, and as such, very few apps support it. For this reason, Bluetooth Low-Energy (BLE) is required for compatibility purposes. It is not the greatest protocol for this, but as we will use it only during account setup, it’s better than nothing. I am using a Feitian MultiPass FIDO Security Key for this, which is the same Google branded as “Titan”.
  • Android: NFC is ideal, as it is very straightforward to use. The Feitian MultiPass FIDO Security Key also supports NFC, and as such is a good all-around choice to use.

As you can see, with the Feitian MultiPass FIDO Security Key, you’re good to go with most devices. It does not have a USB-A or USB-C port directly on it and requires a cable, not the cleanest fit for all laptops. Since we need two for redundancy purposes, getting a very compatible one and a very small one to leave in your laptop is a great, convenient way to achieve that.

You will need the NFC or BLE key only when adding accounts to your phone or verifying your Google accounts by logging in again, not every time you check your mail.

Google Account

Log into your consumer Google account from Chrome, and visit the Advanced Protection page.

You will be asked to register two keys.

Register the two keys

Follow the wizard to add your two keys.

The Advanced Protection wizard will clearly explain the limitations of an account protected with it.

Read the limitations of Advanced Protection carefully

As a Mac user, here are some important things to be aware of, which are perhaps not very clear from this screen:

  1. As of the current version of macOS (High Sierra), in July 2018, Safari does not support U2F keys. I also tested the Safari Developer Preview, and tested in Mojave Beta. You will have to use Chrome (Firefox is also rolling out U2F support and should work).
  2. You will not be able to use your account in Safari if you turn on the Advanced Protection mode. You will not be able to use the macOS native applications like Mail.app and Calendar either. Some articles mention that it is compatible — they usually simply forget to highlight the fact that they mean on iOS. They are NOT compatible on Mac.
  3. App Passwords will not be available anymore.

If you do want to use Safari, I recommend not enabling Advanced Protection, enabling 2FA with TOPT codes, and setting up the keys as a second method to authenticate as described at the beginning of this article.

Once you enable Advanced Protection, you will get kicked out of all existing sessions. You should now be able to login from your browser, simply by clicking the button of your U2F key after you enter your password.

Connecting iOS Devices

Pairing the BLE key is quite straightforward
  1. Install the Google Smart Lock app.
  2. Login to your Google account.
  3. Follow the wizard to pair your BLE key.
  4. Login to it to generate a six digit token to setup iOS devices. This code will be valid for five minutes.
  5. Go to your phone’s preferences, and add a Google account as you usually would. The only difference is you must paste in the six digit code within five minutes.
  6. You will now also be able to setup all the standard Google apps, as they will redirect you to Google Smart Lock for authentication, where you can simply click your Multipass key.

The experience of using Advanced Protection on iOS is therefore almost unchanged, unlike on the Mac. You now simply have much greater protection.

Don’t take away my iOS 1st party apps!

Recovery

If you are using Advanced Protection, you have no second-factor other than the U2F keys you added. As they are relatively cheap, I would recommend buying more than you need and keeping at least one in a very safe place.

If you do lose access to them, and try to recovery, you will be prompted with the following:

Recovery Options

If you do request Google’s help, be ready to answer questions such as..

When did you create this account?

You will then need to provide Google with an alternate way of contacting you.

This is a process I would much prefer avoid completely, by keeping a healthy supply of configured U2F keys stored safely.

Disclaimer: Links to hardware devices in this article point to Amazon Affiliate links. This is simply a way for us to offset the cost of buying different devices for testing. Any device not available on Amazon gets directly linked, and none of the devices mentioned in this article were given by any vendor.