Breaking a Teensy U2F implementation: why you shouldn’t write your own crypto


Aidan (a.k.a. makomk) writes:

A while ago, Google created a two-factor authentication scheme called U2F. The general idea is as follows. You have a little USB dongle that you can register with sites. When you enable U2F on a site, the dongle gives that site a public key and a key handle, and that dongle is the only device that can use that key handle to sign things with the corresponding public key. So from then on, websites can hand over the key handle and a challenge, and if they get back a valid signature they know that whoever’s logging in has the dongle you used to sign up.

More details at The Lair of Mako site.

Join the Conversation

1 Comment

  1. Yeah, because HEARTBLEED was such a great thing.

    Let’s just trust Smarter People ™ to do our security-critical code for us.


Leave a comment

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.