
Two-step authentication in the browser using the U2F USB token

U2F is an open, universal 2-factor authentication protocol developed by the FIDO Alliance .
The alliance includes Google, PayPal, Lenovo, MasterCard, Microsoft, NXP, Visa and others.
The protocol is supported by the Chrome browser from version 38. It works out of the box without drivers on Windows / MacOS / Linux.
Currently supported by Google, LastPass, Wordpress .
The article describes the experience of using the Yubikey NEO token with support for NFC and OpenPGP card, the disadvantages of two-factor authentication via SMS.
Why two-step SMS authentication is dangerous
Two-step authentication via SMS or call is very popular now.
Of course, this is convenient, and such an additional check in most cases is effective. To protect against automated attacks, phishing, password selection, viruses, restore lost access and more.
But in the event that your person has become the target of professional scammers, an attached phone can play a fatal role. Most often, the phone number to which the account is attached is not a secret, usually this is the main contact number. Almost all services report its first or last digits to anyone who wants to, if you try to regain access to your account. Therefore, it’s easy to find out the number associated with your account.
To find out who the number is issued in in Russia is not difficult. Enough to readexperiment of the guys from Roem.ru.
Having received the personal information of the owner of the number, the fraudsters draw a fake power of attorney, a driver’s license or passport, and are sent to the nearest branch of a mobile operator.
The authority to reissue a SIM-card has any ordinary employee of the most seedy mobile phone salon.
It's funny that most of the operators in the subscriber’s profile do not even have a photo of the owner of the number, although for some reason they copy the passport. That is, it is enough to draw a passport with matching details and paste a suitable photo.
Operators have the option of prohibiting re-issuance of a SIM card by proxy, but this is an illusory defense, because numbers are successfully reissued using fake driver’s licenses and passports.
How to prohibit actions by proxy for Megafon, Beeline, MTS
Megaphone:
moscow.megafon.ru/help/servic...sti.html#21123
To connect the service, dial * 105 * 508 # on the phone .
Only the owner of the room can deactivate the service during a personal visit to the MegaFon salon with an identity document.
Beeline
moskva.beeline.ru/customers/help/safe-beeline/ugrozy-mobilnykh-moshennikov/zapret-deystvyi-po-doverenosti
To establish a ban, you must contact one of the Beeline offices with a passport or by calling 0611.
MTS
Pri ask for your personal visit to the office to indicate in the comments to the number that only the owner with a passport has the right to perform all actions.
moscow.megafon.ru/help/servic...sti.html#21123
To connect the service, dial * 105 * 508 # on the phone .
Only the owner of the room can deactivate the service during a personal visit to the MegaFon salon with an identity document.
Beeline
moskva.beeline.ru/customers/help/safe-beeline/ugrozy-mobilnykh-moshennikov/zapret-deystvyi-po-doverenosti
To establish a ban, you must contact one of the Beeline offices with a passport or by calling 0611.
MTS
Pri ask for your personal visit to the office to indicate in the comments to the number that only the owner with a passport has the right to perform all actions.
In Ukraine, the situation is even worse, since most of the numbers are anonymous.
To re-issue a SIM-card, the Kyivstar operator needs to show a check of the last account replenishment and name three numbers to which calls were made.
Good services, for example, many banks, save along with the phone number also IMSI (International Mobile Subscriber Identity) - a unique SIM-card identifier. If the IMSI has changed, then the number binding is considered canceled and the binding procedure must be repeated.
Unfortunately, there are not many such services.
You can check the IMSI of any number using the HLR request smsc.ru/testhlr
Recipe for paranoid: smsc.ru has convenient libraries for Python, PHP, Perl, Ruby, Java, C #, Delphi, C ++, which allow, among other things, sending HLR requests. You can check the IMSI of your numbers, for example, twice a day, and in case of its change, sound an alarm. At the most expensive tariff, one request costs 0.2 rubles, approximately 150 rubles per year for one number comes out. Through the same library you can send SMS with alarm. I recommend;)
There are other ways to bypass confirmation via a mobile phone, such as setting up call forwarding, intercepting voicemail, etc. But their description is beyond the scope of this article.
Scary stories of victims of re-issuance of SIM cards
U2F - FIDO Universal 2nd Factor
As planned by U2F, the authenticator is a hardware module: a USB token, a SIM card or an NFC key fob, which stores keys and independently performs cryptographic operations. At the same time, the keys are pre-installed during production and never leave the token.
The principle of operation is as follows:
- The user logs in to the website / application using the login password
- The server checks the credentials and, if they are correct, generates a challenge for the token and sends it to the user program, in this case, the browser
- The browser passes the challenge to the token, which can request actions from the user at its discretion. In my case, this is a finger touch on the contact pad. But it can be, for example, input of a PIN code, biometric verification or in general lack thereof
- The token returns a response to the program, which is transmitted to the server
- Authentication completed

Currently, U2F support is available in Google Chrome, starting with version 38. Probably will be added to FireFox soon.
Already supported for authorization in Google accounts and Lastpass, there is a plugin for Wordpress, Django and libraries in different languages.
Modules for Linux PAM, OpenSSH and more.
Table of services supporting OTP / U2F authorization - www.dongleauth.info
useful links
Examples of the Google github.com/google/u2f-ref-code
library for the PHP github.com/Yubico/php-u2flib-server
for Ruby Library github.com/castle/ruby-u2f
Demo on the Python github.com/Yubico/python -u2flib-server
PAM module github.com/Yubico/pam-u2f
library for the PHP github.com/Yubico/php-u2flib-server
for Ruby Library github.com/castle/ruby-u2f
Demo on the Python github.com/Yubico/python -u2flib-server
PAM module github.com/Yubico/pam-u2f
Personal experience using the Yubikey NEO token
The most advanced U2F devices are manufactured by Yubico.
Distributor in Russia - yubico.ru
I bought the most sophisticated keychain at the moment - Yubikey NEO.

In addition to U2F, he can:
- OpenPGP smartcard - defined as an ICCID reader with an inserted OpenPGP card version 2.0
- NFC - can be used with smartphones and as a key for access control. Can work as a Mifare Classic card in emulation mode
- OTP and TimeOTP - it is defined as a hid keyboard and by pressing it enters a one-time password. Time Based OTP via software applet (google authenticator replacement)
- PIV smartcard - ( Personal Identity Verification ) American state smartcard standard
By default, the device works in Yubico OTP mode (proprietary one-time password protocol), it is defined only as a HID-keyboard and by pressing a button it prints one-time passwords based on the device ID.
You need to enable U2F mode through a proprietary utility that is available under Windows / Mac / Linux.

I preferred to enable U2F and ICCID modes to work as an OpenPGP card.

That's all. U2F immediately works, no drivers are required.
You can check the operation in the demo application demo.yubico.com/u2f
Linking a token to a Google account is extremely simple:

After linking a token, it becomes the second default factor, and you cannot disable the alternative method: either SMS or TOTP.

An alternative second factor, I chose TOTP. I use the software implementation TOTP through 1Password (the same as the Google Authenticator, only on the desktop). Yubikey NEO is also capable of TOTP, while the key for generating passwords is stored in a token and cannot be extracted. But since passwords are generated based on time, you need to keep running a software applet for transferring time to a token, which I did not like.
I also briefly explored other device features.
The OpenPGP card immediately worked with GnuPG 2.0.27 from the gpgtools.org package.
gpg --card-status
Application ID ...: F3427001240104000006010230340000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 1023034
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
Card version 2.0, keys only RSA and no longer than 2048 bits.
Working with the card is also possible through NFC, for example, on Android using http://www.openkeychain.org/ . The beauty of such a combination is that all operations with the private key are performed on the card, the key never leaves the card and cannot be removed from it.
Unfortunately, the other day, a vulnerability was found in the implementation of OpenPGP in Yubikey NEO, allowing to bypass the input of the PIN code and perform the operation with the private key. And, since updating firmware on devices is prohibited for security reasons, there is no way to fix the bug. Yubico promises to replace the curved glands with everyone.
I just had a vulnerable version of firmware 1.0.8
Emulation Mifare Classic- the most incomprehensible function for me. When you try to communicate with her, as with the usual Mifare Classic, the card behaves strangely.
libnfc output with login attempts
$ LIBNFC_LOG_LEVEL=3 ./readmifare1k.py -s 115200 -l /dev/tty.SLAB_USBtoUART
debug libnfc.config key: [allow_autoscan], value: [false]
debug libnfc.config key: [allow_intrusive_scan], value: [false]
debug libnfc.config key: [log_level], value: [1]
debug libnfc.config key: [device.name], value: [microBuilder.eu]
debug libnfc.config key: [device.connstring], value: [pn532_uart:/dev/tty.SLAB_USBtoUART]
debug libnfc.config Unable to open directory: /usr/local/etc/nfc/devices.d
debug libnfc.general log_level is set to 3
debug libnfc.general allow_autoscan is set to false
debug libnfc.general allow_intrusive_scan is set to false
debug libnfc.general 1 device(s) defined by user
debug libnfc.general #0 name: "microBuilder.eu", connstring: "pn532_uart:/dev/tty.SLAB_USBtoUART"
debug libnfc.driver.pn532_uart Attempt to open: /dev/tty.SLAB_USBtoUART at 115200 baud.
debug libnfc.bus.uart Serial port speed requested to be set to 115200 baud.
debug libnfc.chip.pn53x Diagnose
debug libnfc.chip.pn53x Timeout value: 500
debug libnfc.bus.uart TX: 55 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00
debug libnfc.chip.pn53x SAMConfiguration
debug libnfc.chip.pn53x Timeout value: 1000
debug libnfc.bus.uart TX: 00 00 ff 03 fd d4 14 01 17 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 15
debug libnfc.bus.uart RX: 16 00
debug libnfc.bus.uart TX: 00 00 ff 09 f7 d4 00 00 6c 69 62 6e 66 63 be 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 09 f7
debug libnfc.bus.uart RX: d5 01
debug libnfc.bus.uart RX: 00 6c 69 62 6e 66 63
debug libnfc.bus.uart RX: bc 00
debug libnfc.chip.pn53x GetFirmwareVersion
debug libnfc.bus.uart TX: 00 00 ff 02 fe d4 02 2a 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 06 fa
debug libnfc.bus.uart RX: d5 03
debug libnfc.bus.uart RX: 32 01 06 07
debug libnfc.bus.uart RX: e8 00
debug libnfc.chip.pn53x SetParameters
debug libnfc.bus.uart TX: 00 00 ff 03 fd d4 12 14 06 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 13
debug libnfc.bus.uart RX: 18 00
debug libnfc.general "pn532_uart:/dev/tty.SLAB_USBtoUART" (pn532_uart:/dev/tty.SLAB_USBtoUART) has been claimed.
debug libnfc.chip.pn53x ReadRegister
debug libnfc.bus.uart TX: 00 00 ff 0c f4 d4 06 63 02 63 03 63 0d 63 38 63 3d b0 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 07 f9
debug libnfc.bus.uart RX: d5 07
debug libnfc.bus.uart RX: 00 00 00 00 00
debug libnfc.bus.uart RX: 24 00
debug libnfc.chip.pn53x PN53X_REG_CIU_TxMode (Defines the transmission data rate and framing during transmission)
debug libnfc.chip.pn53x PN53X_REG_CIU_RxMode (Defines the transmission data rate and framing during receiving)
debug libnfc.chip.pn53x WriteRegister
debug libnfc.bus.uart TX: 00 00 ff 08 f8 d4 08 63 02 80 63 03 80 59 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 09
debug libnfc.bus.uart RX: 22 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 32 01 00 f9 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 32 01 01 f8 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 06 fa d4 32 05 ff ff ff f8 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x ReadRegister
debug libnfc.bus.uart TX: 00 00 ff 0e f2 d4 06 63 02 63 03 63 05 63 38 63 3c 63 3d 19 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 08 f8
debug libnfc.bus.uart RX: d5 07
debug libnfc.bus.uart RX: 80 80 00 00 00 00
debug libnfc.bus.uart RX: 24 00
debug libnfc.chip.pn53x PN53X_REG_CIU_TxAuto (Controls the settings of the antenna driver)
debug libnfc.chip.pn53x PN53X_REG_CIU_Control (Contains miscellaneous control bits)
debug libnfc.chip.pn53x WriteRegister
debug libnfc.bus.uart TX: 00 00 ff 08 f8 d4 08 63 05 40 63 3c 10 cd 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 09
debug libnfc.bus.uart RX: 22 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 32 01 00 f9 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 06 fa d4 32 05 00 01 02 f2 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x ReadRegister
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 06 63 03 c0 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 03 fd
debug libnfc.bus.uart RX: d5 07
debug libnfc.bus.uart RX: 80
debug libnfc.bus.uart RX: a4 00
debug libnfc.chip.pn53x PN53X_REG_CIU_RxMode (Defines the transmission data rate and framing during receiving)
debug libnfc.chip.pn53x WriteRegister
debug libnfc.bus.uart TX: 00 00 ff 05 fb d4 08 63 03 88 36 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 09
debug libnfc.bus.uart RX: 22 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 32 01 01 f8 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 32 01 00 f9 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 32 01 01 f8 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 32 01 00 f9 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 32 01 01 f8 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 06 fa d4 32 05 00 01 02 f2 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x InListPassiveTarget
debug libnfc.chip.pn53x No timeout
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 4a 01 00 e1 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 20 e0
debug libnfc.bus.uart RX: d5 4b
debug libnfc.bus.uart RX: 01 01 00 44 28 07 04 1b 15 4a 0e 35 80 11 78 f7 b1 02 59 75 62 69 6b 65 79 4e 45 4f 72 33
debug libnfc.bus.uart RX: 8e 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 32 01 00 f9 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 32 01 01 f8 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 06 fa d4 32 05 00 01 02 f2 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x InListPassiveTarget
debug libnfc.chip.pn53x No timeout
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 4a 01 00 e1 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 20 e0
debug libnfc.bus.uart RX: d5 4b
debug libnfc.bus.uart RX: 01 01 00 44 28 07 04 1b 15 4a 0e 35 80 11 78 f7 b1 02 59 75 62 69 6b 65 79 4e 45 4f 72 33
debug libnfc.bus.uart RX: 8e 00
debug libnfc.chip.pn53x SetParameters
debug libnfc.bus.uart TX: 00 00 ff 03 fd d4 12 04 16 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 13
debug libnfc.bus.uart RX: 18 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 32 01 00 f9 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 32 01 01 f8 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x RFConfiguration
debug libnfc.bus.uart TX: 00 00 ff 06 fa d4 32 05 00 01 02 f2 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 02 fe
debug libnfc.bus.uart RX: d5 33
debug libnfc.bus.uart RX: f8 00
debug libnfc.chip.pn53x InListPassiveTarget
debug libnfc.chip.pn53x No timeout
debug libnfc.bus.uart TX: 00 00 ff 04 fc d4 4a 01 00 e1 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 0f f1
debug libnfc.bus.uart RX: d5 4b
debug libnfc.bus.uart RX: 01 01 00 44 28 07 04 1b 15 4a 0e 35 80
debug libnfc.bus.uart RX: 2a 00
debug libnfc.chip.pn53x InDataExchange
debug libnfc.bus.uart TX: 00 00 ff 12 ee d4 40 01 60 00 a0 a1 a2 a3 a4 a5 04 1b 15 4a 0e 35 80 7b 00
debug libnfc.bus.uart RX: 00 00 ff 00 ff 00
debug libnfc.chip.pn53x PN53x ACKed
debug libnfc.bus.uart RX: 00 00 ff 01 ff
debug libnfc.bus.uart RX: 7f 81 00
error libnfc.driver.pn532_uart Application level error detected
Card has 7 byte UID
ATQA (SENS_RES): 00 44
UID (NFCID1): 04 1b b1 4e f7 00 f1
SAK (SEL_RES): 28
ATS: 78 f7 b1 02 59 75 62 69 6b 65 79 4e 45 4f 72 33
Physically, the RFID tag works pretty well, despite the small antenna, the reader in the subway “grabs” from 3 centimeters.
Conclusion
Compared to all the hardware tokens that I used to use, U2F technology is extremely convenient. No need to bother with importing certificates, installing drivers, no Java applets, and more.
I tested running on Windows 7, Mac OS 10.10 and Ubuntu 14.0.4. On all systems, Chrome immediately picked up a token without installing drivers. In general, the deployment seems so simple and understandable that even a child can handle it.
And the presence of fully open specifications, plugins and libraries will allow you to fasten U2F to any application.