In the modern web a shift towards mobile browsing is an established fact. Web applications implement reactive design (adapting to the screen resolution) and are created with “mobile first” approach as the content is often consumed on the go on smartphones and tablets. Therefore full feature parity with desktop browsers is a de facto standard. Unfortunately, it doesn’t apply to the Universal Second Factor (U2F), the most secure commonly available second-factor authentication (2FA) method.
U2F Under Test
To evaluate the current support for U2F on mobile browsers I did a few tests for some popular services. I used the following test environment:
- Samsung Galaxy A3 (2017) smartphone
- Android 8.0.0 operating system
- Chrome 72.0.3626.105 mobile browser
- Firefox 65.0.1 mobile browser
- YubiKey 5 NFC security key
I set up accounts in five services:
I used the NFC key because I believe that swiping against the mobile device is the most convenient form of communication between those two. This way I can use USB-A on practically any computer and don’t need adapters to connect the key to the mobile device.
Let’s start with Google. I tried an account with the security key set up as the only 2FA method. It works flawlessly on Chrome. Unfortunately, on Firefox it only says “We could not confirm this account is yours” and I’m unable to login.
Next is Twitter. I couldn’t login using the key as the second factor neither on Chrome nor Firefox. On Chrome Twitter tells me to use a browser that supports USB keys, on Firefox I get “Incorrect response. Try again.” error message.
The same happened with GitLab. On Chrome it falls back directly to a TOTP code from an authenticator app. On Firefox it tells me to plug in the device or lets me choose to use a TOTP code instead. If I swipe the key anyways it opens YubiKey NFC demo page saying that “…the NDEF tag in the key is programmed with this URL”.
When trying Yubico Playground I was able to make it work on Chrome (the same way as with Google). But on Firefox I instantly get “Operation cancelled” error and if I swipe the key anyways it opens YubiKey NFC demo page as well.
As about OVH, not surprisingly I got no luck with Firefox, only a “security key not found” error. Chrome didn’t work either but in an odd way. I got the same full-screen prompt to swipe the key as with Google and Yubico Playground, but after getting back to the browser it asked me to put the key in the device and didn’t let me in.
Interestingly, both Twitter and GitLab require setting up some other 2FA method in order to enable the security key. It clearly shows how little trust they have for U2F technology and its maturity if they make having a fallback 2FA method compulsory.
Trying five services on two mobile browsers makes it 10 attempts in total and YubiKey unfortunately lost 2-8 :( I certainly hope the situation will improve soon because the current state of affairs and inconsistent experience is definitely not good for the U2F popularity and this in turn is not good for overall security of the web.
On the other hand all the above mentioned companies should be praised for implementing U2F after all. I wanted to set it up with a few more accounts and to my big regret and disappointment it turned out to be not supported for example in ProtonMail, Cloudflare and Zoho.