Universal 2nd Factor Authentication (U2F)

Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices.

LLNG can propose to users to register their keys. When done, registered user can't login without using its key.

This feature uses Crypt::U2F::Server::Simple that is available only via CPAN for now. Before compiling it, you must install Yubico's C library headers (called libu2f-server-dev on Debian).

In the manager (advanced parameters), you just have to enable it:

• U2F ⇒ Activation: set it to “on”
• U2F ⇒ Self registration: set it to “on” (to display this application on the menu, create an application that points to https://auth.your.domain/u2fregister.html)
• U2F ⇒ Authentication level: you can overwrite here auth level for U2F registered users. Leave it blank keeps auth level provided by first authentication module (default: 2 for user/password based modules). It is recommended to set an higher value here if you want to give access to some apps only to users enrolled

• Chrome/Chromium >= 38
• Firefox :
  • 38 to 56 with U2F Support Add-on
  • 57 to 58, with “security.webauth.u2f” set to “true” in “about:config” (see Yubico explanations)
  • probably enabled by default for versions >= 59
• Opera >= 40

If you've enabled self registration, users can register their FIDO key using https://portal/u2fregister.html

If a user lost its key, you may remove it's persistent session using the session explorer.

If you have another U2F registration interface, you have to populate session (using exported variables) to set these keys:

Note that both “origin” and “appId” are fixed to portal URL.