Blog

Universal Second Factor (U2F) devices were invented as a second factor for websites using two factor authentication. The website sends a challenge, the U2F device responds if its button is pressed. A small LED starts blinking, you press your button and thus confirm the usage.

But you cannot only use U2F devices for websites. Using PAM’s pam_u2f module, you can plug it into any service that uses PAM. This was described in my previous article.

If you want to use your U2F device to unlock your running session, you need to treat it like a key. So, when you leave your desk to grab a cup of coffee, you need to take your key with you. You should of course lock your screen when you leave your desk, too. But wait – couldn’t you combine these steps? Lock your screen by removing your U2F device?

Inspired by a recent article series in the German magazin c’t (1, 2, 3), I got my hands on two simple U2F devices to find out if their usage might help my work pattern.

Imagine sitting in public transportation and having to retype your (root) password for each and every sudo call you issue. Imagine having to retype your password each time your screen lock engages. Imagine just having to touch a small button on a USB device instead.