Securing a Google Account with the Nitrokey FIDO U2F

Google Accounts can be secured with Google's 2-Step Verification. In this post we will set up a Nitrokey FIDO U2F as a 2nd factor for 2-Step Verification. The Nitrokey distinguishes itself from other such products by having open source hardware and firmware.

The Nitrokey FIDO U2F supports U2F 1.2/CTAP1. CTAP1 is the application protocol that defines the types of messages that can be exchanged with the device for 2 factor authentication. The application protocol is bound to a physical transport protocol. In the case of USB keys the transport protocol is Human Interface Device (HID) which should be supported by most operating systems out of the box. CTAP1 is supported by a few browsers such as Chrome and Chromium. Firefox added support for U2F with version 60 but it has to be enabled manually through the browser's about:config page and it didn't work for me with Google's sign-in and Firefox version 63, so I'll stick to Chromium for now.

For this post the OS is Ubuntu 16.04 with a Chromium browser version 70.

Configure the Nitrokey for use in Ubuntu

The browser communicates with the USB key through the Human Interface Device (HID) driver already installed in Ubuntu. However for regular users on Ubuntu to use the USB key, we have to set the permissions through udev - the system that manages plugable devices. Hit CTRL-ALT-T to open the terminal and create a configuration file named /etc/udev/rules.d/70-nitrokey.rules using the vim editor.

$ sudo vim /etc/udev/rules.d/70-nitrokey.rules

Press i to enter insert mode and paste this content:

ACTION!="add", GOTO="rules_end"
SUBSYSTEM=="hidraw*", MODE="0664", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="uaccess"

Press ESC to exit insert mode and type ":wq" to write the file and quit. Reload the udev rules:

$ sudo udevadm control --reload-rules && udevadm trigger

Register the Nitrokey with Google's 2-Step Verification

Open in Chromium and Sign-in to your Google Account.

Click your icon in the upper right corner and click Google Account in the popup.

Click Sign-in & Security.

Click 2-Step Verification.

Start registration of Nitrokey FIDO u2f as second factor for Google Account 2Step-Verification

Click GET STARTED and sign in again.

Select security key

The website guide will probably suggest to use your phone as a 2nd factor, but we can set that up later. Let's register the Nitrokey first. Click Choose Another Device and click Security Key. Then click Try now.

Disconnect security key

The guide will ask you to disconnect the security key then click Next.

Insert security key

On the next page insert the Nitrokey. If you get a popup that wants to see the make and model and your security key you can choose either Block or Allow. I went for Block.

Security key registered

When you reach the page titled Security Key registered click DONE.

Alternative 2nd factor

We need to set up and alternative 2nd factor because we might loose or break the security key or have to sign in from an Android device that doesn't support the USB key. 

The page we landed on after completing the the registration of the security key has a number of alternatives. Among other to print codes on a piece of paper, the Authenticator App or Voice & Text messages on your phone.

I won't go through the set up of an alternative but do note that while using your phone as an alternative is probably the most convenient and popular method, it is not very safe. A hacker could trick your Cell Phone Carrier to send a SIM card for your phone number and use it to gain access to your Google Account. 

While other alternatives might seem cumbersome, you typically only have to use the 2nd factor the first time you sign-in on an Android device or in a browser (provided you have 3rd party cookies enabled).

The first sign-in from a browser

To test the security key sign-out from your Google Account and close Chromium. Open Chromium again and sign-in to

Sign in to Google Account using Nitrokey FIDO U2F

Enter your password as usual and then insert the Nitrokey when prompted to do so. You are done.