Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Google Account -> Sign-in & Security -> 2-Step Verification

Or just click: https://myaccount.google.com/signinoptions/two-step-verifica...



Yes. Then click U2F. Then start messing around with that.

It takes time. And I have a ton of accounts. I like my U2F key but it is still a pain in the ass.


Seems pretty easy to me, in my opinion.


Do it for 20 apps. On two keys. When every app has a different place they hide the feature, when every app has a different workflow to get it done, and most of them don't tell you they support it in the first place. It really sucks. At minimum, WebAuthN should enable detecting when the key has been slotted and ask if you want to enable U2F, then take you through it...but nobody does, and nobody probably will anytime soon.

At work, Okta at least will handle it for us, but personally? It really sucks.


Ideally, there would be an event emitted by the browser that could detect that a U2F key was inserted, but do to the design limitations of the key this is unlikely to happen. The U2F key is essentially a keyboard that has been plugged into your USB port. Some people keep "nano"[0] ones plugged in at all times for convenience. To address the common use cases of real users, you would need the browser to be able to check if an external keyboard is plugged in to a USB port on DOM ready, and when inserted into the computer.

I will let your imagination run wild with what a nefarious person could do if every browser has the ability to detect if you are using a specific type of USB keyboard. I could point you in direction of device fingerprinting to start, but that's the bare minimum of what you expose.

[0]: https://www.yubico.com/product/yubikey-4-series/#yubikey-4-n...


I appreciate the explanation, but I do understand at least at a high level how this works. I understand why it's not being done this way. How it's being done is kind of messed up.

WebAuthN is able to tell you that the web page wants you to put a hardware key in. That should be enough to be able to prompt users who've opted into using such a key elsewhere that they can do so here.


Yea, that is cumbersome and not at all user-friendly. I was operating under the assumption of a single app + device use-case at solely Google in my original comment.


Sure - and like I said, Okta does a good job of that for us. But to get people to really embrace it, I tend to think it's gotta work for them personally too. Otherwise it's just this "thing" on a keychain, you know? It's not important.


All barriers are insurmountable UX burdens to a significant portion of users, no matter how trivial the barrier.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: