Protect Gmail with Yubico's U2F Security Key

If your Gmail account matters to you, then Two-factor authentication is a prudent choice.

The first factor is something you know, your password. A password alone can be compromised with keyloggers, phishing attacks and your own reuse of the password across multiple websites.

The second factor is something you have with you physically. There are many options supported by Google for a 2nd factor, but here we will use Yubico's Universal 2nd Factor (U2F) Security Key.

How U2F works

The U2F standard is based on Public Key Cryptography. A U2F USB device maintains a public/private key pair for each website, where we sign in using U2F. The first time we register a U2F device with a website such as Gmail, the USB device generates a new key pair and sends the public key to the site.

When ever we sign in from a new computer, Gmail will send the browser a challenge to be signed with our private key. We insert the U2F USB device, press the button on the USB device and the challenge is signed. Because of the mathematical relationship between the public and private key, a challenge signed with the private key can be verified with the public key. If the signature is authentic, then Gmail knows who ever signed it is in possession of the private key and therefore the physical key on which it is stored.

Is it a hassle?

We don't have to use the U2F USB device every time we sign in. Gmail will offer to remember our computer, the first time we successfully sign in from that computer.

What if I loose the U2F USB device?

Should we ever loose our U2F USB device, then we can fall back on an alternative form of 2nd factor authentication. We will setup our phone as an alternative 2nd factor in a later section.

Does it apply to Android devices?

If we use the same Gmail account on Android devices, then two-factor authentication applies to those devices too. Since we can't use the U2F USB device with our Android devices, they will fall back on an alternative 2nd factor such as our phone. We only have to use 2nd factor authentication, the first time we sign in on an Android device.

Setting up a U2F USB device on Ubuntu

The U2F standard is supported by many vendors. The instructions that follow pertain to the Yubico U2F Security Key. If you have another U2F USB device, then check with the vendor's website.

The Linux kernel triggers an event, when a USB device is plugged in. Such events are caught by Udev, that will add the device node to the /dev file tree. Udev needs a little help to determine the permissions required to access a U2F USB device node. The permissions are configured in a Udev rule file. To install the correct rule file, we first need to determine the version of Udev installed on our system. Open a terminal CTRL+ALT+T and run:

apt-cache show udev
Version: 175-0ubuntu9

Look for the Version attribute in the output, and select the correct Udev rule file below based on that.

VersionRules file
188 or newer
older than 188

The content must be written to a new file named /etc/udev/rules.d/70-u2f.rules. One way of doing that is to use the vi editor:

sudo vi /etc/udev/rules.d/70-u2f.rules

Paste the content from github to the opened file in vi. Exit edit mode with Esc and then write the file content and quit by typing ":wq". Next set the file permissions to match that of other rule files in the same folder:

sudo chmod a+r /etc/udev/rules.d/70-u2f.rules

Udev can use the rules file right away, no need to restart the service.

Enrol in Google 2 Step Verification

To enrol our Gmail account in two-factor authentication, or as Google calls it 2 Step Verification, first sign into the Gmail account from the Chrome browser (at the time of writing U2F support in other browsers are not yet finished).

Start enrolment by clicking the account avatar in the top right corner, then My account -> Sign-in & Security -> 2 Step Verification.

The 2 Step Verification setup takes us through a number of steps to add a mobile phone number for SMS Verification Codes, before we can register the U2F USB device. This is the alternative 2nd factor, that will be used if we loose our U2F USB device, or when we sign in from a device that does not support the U2F USB device. By the end of this sequence of dialogs 2 Step Verification is enabled.

Now it's time to register our U2F USB device. On the 2 Step Verification screen, open the Security Keys tab and press Add Security Key. On the next dialog press Register, then insert the U2F USB device. Press the button on the USB device itself, when it begins to blink.

Now we're all set up.