Securing a Google Account with the Nitrokey FIDO U2F

Google Accounts can be secured with Google's 2-Step Verification. In this post we will set up a Nitrokey FIDO U2F as a 2nd factor for 2-Step Verification. The Nitrokey distinguishes itself from Yubico's U2F Security Key by having open source hardware and firmware.

Firefox added support for U2F with version 60 but it has to be enabled manually through the browser's about:config page and it didn't work for me with Google's sign-in and Firefox version 63, so I'll stick to Chrome or Chromium for now.

For this post the OS is Ubuntu 16.04 with a Chromium browser version 70.

Configure the Nitrokey for use with Ubuntu

The browser communicates with the USB key through the Human Interface Device (HID) driver already installed in Ubuntu. However for regular users on Ubuntu to use the USB key, we have to set the permissions through udev - the system that manages plugable devices. Hit CTRL-ALT-T to open the terminal and create a configuration file named /etc/udev/rules.d/70-nitrokey.rules using the vim editor.

$ sudo vim /etc/udev/rules.d/70-nitrokey.rules

Press i to enter insert mode and paste this content:

ACTION!="add", GOTO="rules_end"
SUBSYSTEM=="hidraw*", MODE="0664", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="uaccess"

Press ESC to exit insert mode and type ":wq" to write the file and quit. Reload the udev rules:

$ sudo udevadm control --reload-rules && udevadm trigger

Register the Nitrokey with Google's 2-Step Verification

Open in Chromium and Sign-in to your Google Account.

Click your icon in the upper right corner and click Google Account in the popup.

Click Sign-in & Security.

Click 2-Step Verification.

Start registration of Nitrokey FIDO u2f as second factor for Google Account 2Step-Verification

Click GET STARTED and sign in again.

Select security key

The website guide will probably suggest to use your phone as a 2nd factor, but we can set that up later. Let's register the Nitrokey first. Click Choose Another Device and click Security Key. Then click Try now.

Disconnect security key

The guide will ask you to disconnect the security key then click Next.

Insert security key

On the next page insert the Nitrokey. If you get a popup that wants to see the make and model and your security key you can choose either Block or Allow. I went for Block.

Security key registered

When you reach the page titled Security Key registered click DONE.

2nd factor backup

We need to set up a backup for our 2nd factor security key because we might lose or break the security key, have to sign in from at browser that doesn't support FIDO U2F or sign in from an Android or IOS device that doesn't support USB keys.

We can add multiple types of 2nd factor authentication to Google's 2-Step Verification, but the security of the Google Account will only be as strong as its weakest 2nd factor. Note that once security keys with Bluetooth and NFC, and the support of them in Android and IOS devices, is pervasive, then we should refrain from adding any other type of 2nd factor as it diminishes the level of security. But with only USB support available lets take a look at the other alternatives.

The page we landed on after completing the the registration of the security key has a number of 2nd factor alternatives. Among others to print codes on a piece of paper, the Authenticator App or Voice & Text messages.

To start with I'd suggest to print codes on a piece of paper. This is pretty secure because the 2nd factor is stored "offline". Do this even if you don't plan to use it - just in case one day everything else fails.

Voice & Text messages is probably the most convenient choice because we bring our phones with us wherever we go and it only requires the most basic of network access. However it's vulnerable to SIM Swap Scam whereby a hacker tricks your network provider to issue a new SIM card for your phone number and send it to the hacker. The authentication messages are also sent in clear text using network technology that is inherently insecure.

The Authenticator App for Android or IOS is slightly less convenient because it requires internet access on you phone wherever you go but it isn't vulnerable to SIM Swap Scam. The strength of the Authenticator App diminishes if it's installed on the same device where you sign into your Google Account. For most the Authenticator App is probably the best compromise.

To set up the Authenticator App, install the app from the Android or IOS app store on your phone. In the Google Account 2-Step Verification panel choose to add the Authenticator App. The 2-Step Verification dialog shows a barcode to be scanned using the Authenticator App.

Google Authenticator App scan barcode

When prompted to enter a 6-digit code enter the code that is displayed in the app. This is also how you sign in to your Google Account with this type of 2nd factor once the set up is complete.

Google Authenticator App set up

The first sign-in from a browser

Sign out from your Google Account and close Chromium. Open Chromium again and sign-in to

Sign in to Google Account using Nitrokey FIDO U2F

Enter your password as usual and then insert the Nitrokey when prompted to do so. You are now signed in.

If you want to use a 2nd factor backup then click "Having Trouble?" and select the type of 2nd factor.