Using U2F 2-factor keys with Node.js

I recently took advantage of Yubico and GitHub's hard to pass up $5 key deal and my shipment finally arrived. The implementation is pretty different from the keyboard-emulating OTP or TOTP keys, so I figured I'd dive in and learn what it takes to implement this in a web app. As intended by Yubico and GitHub, implementing this in your own application is super simple. In this case, I'll be using Node.js, but they have examples for other languages.

On the backend, I went with the u2f node package. For the frontend, the recommended route is the U2F JavaScript API.

I built the following basic example based on the instructions on the u2f package README.

It more or less worked out of the box. A few important notes:

  • APPID is your application's top level URL, though there are other options for this
  • The web page must be served over HTTPS
  • Currently only Chrome supports U2F out of the box. Other browsers need extensions at this time, but both Mozilla and Microsoft are working on mainlining this
  • Familarize yourself with the client error codes
  • There is obviously no real user system in this example, but it's hopefully clear enough on how this would be implemented in a full app
  • As usual, consult with a security researcher to verify your implementation is working as intended

The repository for this example is here.

Happy Hacking!