This is for U2F, which is not FIDO2, though FIDO2 is backward compatible with U2F with a limited set of features. U2F-only hardware is not compatible with the passkeys model.
They will not support FIDO2, but they do support U2F which is compatible with a subset of the FIDO2 features. Specifically, they don't support PIN or username-less login, but they CAN be used as 2nd factors (emphasis on the 2) in addition to conventional username+password login.
The NEO and 4 series support U2F which can be used for FIDO2 2FA (emphasis on 2), but they do not support the passwordless (device PIN) or username-less login scenarios.
To be precise: Google's hardware 2FA support will work with any security key supporting the FIDO U2F protocol.
Yubikey devices are U2F compatible. (And in my opinion one of the best devices out there, thanks to PGP/SSH smartcard support.) But there are also cheaper versions on Amazon that work just as well if you're on a budget.
Some of the other posts have already picked up that this doesn't appear to do U2F. Along that line, does anyone know if there are any new FIDO2 compliant keys are the market is is still just Yubikey? Are more sites adopting Webauthn or is it stagnant?
Didn't this page used to say whether or not a site supported U2F specifically or was that some other very similar looking page?
Its unfortunate that they don't have this information. I would switch services to a site that specifically supports U2F/FIDO/FIDO2 but not to a site that uses a random proprietary hardware token that is still vulnerable to phishing.
U2F can only be used as a second factor. FIDO2 can be used as a replacement for a username/password, so you can go to a site, insert your FIDO2 key and log in without any other information.
Old Yubikeys only support U2F, and there's a Yubico FIDO2 key. Browser support isn't there yet, I've been trying to write a Django library for it but no browser will support the complete FIDO2 flow as far as I know.
Sweet, although IIRC several of the email providers with 2FA (Gmail and Outlook come to mind) have the option of providing app-passwords instead, which bypass the need for a 2FA token.
Could someone explain the difference between FIDO and FIDO2 compliant keys? For example, is new hardware required or will existing FIDO/U2F keys work with FIDO2? It looks like Yubico is advertising a new FIDO2 key under the brand name "Security Key by Yubico". Personally, I've been meaning to pick up a U2F key, but if sites are going to start rolling out WebAuthn support, I'd rather have a key that supports both FIDO and FIDO2. Does anyone have a recommendation?
Sorry, I worded that poorly. U2F keys will continue to work fine, it's just the Javascript API that sites use that'll change. As a user, everything will keep working.
Webauthn allows (but does not require) a mode where the key is a single-factor (i.e. acts as both username and authenticator). You need FIDO2 keys for that and we plan to support it in Chrome. Sites will decide whether that makes sense for them.
It still support U2F 2FA, but only if you have a non-FIDO2 key. If you have a FIDO2 key it will use it as a passkey, with no option to change this.
reply