Using U2F 2-factor keys with Node.js
I recently took advantage of Yubico and GitHub's hard to pass up $5 key deal and my shipment finally arrived. The implementation is pretty different from the keyboard-emulating OTP or TOTP keys, so I figured I'd dive in and learn what it takes to implement this in a web app. As intended by Yubico and GitHub, implementing this in your own application is super simple. In this case, I'll be using Node.js, but they have examples for other languages.
I built the following basic example based on the instructions on the
u2f package README.
It more or less worked out of the box. A few important notes:
- APPID is your application's top level URL, though there are other options for this
- The web page must be served over HTTPS
- Currently only Chrome supports U2F out of the box. Other browsers need extensions at this time, but both Mozilla and Microsoft are working on mainlining this
- Familarize yourself with the client error codes
- There is obviously no real user system in this example, but it's hopefully clear enough on how this would be implemented in a full app
- As usual, consult with a security researcher to verify your implementation is working as intended
The repository for this example is here.