Has the FIDO U2F been retired?

404 views
Skip to first unread message

Michael C

unread,
May 3, 2020, 8:38:50 PM5/3/20
to FIDO Dev (fido-dev)
Happily using U2F security keys from Yubico for some time and then my normality just went out the window when Microsoft Windows 10 was updated to 1909 from 1903.

My Yubico 4 USB token is no longer recognised as a security key under Windows Hello.

Has Microsoft just taken a position with dropping support for it under Windows Hello or has FIDO given them that guidance by telling them U2F has been replaced by FIDO2 and therefore, everyone should just drop the hat and move on?

Emil Lundberg

unread,
May 4, 2020, 7:20:21 AM5/4/20
to fido...@fidoalliance.org

Hi Michael,

I cannot speak for Windows Hello, but U2F authenticators (including YubiKey 4) are and will remain supported by WebAuthn - although they do not support some new features like PIN/biometrics or client-side-discoverable credentials (AKA resident keys).

Note that the term "U2F" spans both a browser-to-authenticator protocol (now renamed to CTAP1) and an in-browser JavaScript API. WebAuthn replaces the U2F JavaScript API, but still supports CTAP1 authenticators.

Emil Lundberg

Software Developer | Yubico


--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/08926a88-56b8-4e17-b815-d16cae3f21a3%40fidoalliance.org.
signature.asc

John Bradley

unread,
May 4, 2020, 10:26:03 AM5/4/20
to fido...@fidoalliance.org

U2F keys work just fine in Window 10 1909 via the windows API, for Edge , Chrome, and Fire Fox.

Can you be more specific?

Microsoft has never supported the U2F protocol for RP in Clasic Edge.  They started With WebAuthn but it supported U2F keys.

You may be seeing the result of a seurity feature added to 1909 where native applications can no loinger talk directly to any Fido device via USB unless they are running in Admin mode.

Apps like Dashlane updated to use the official Windows API for supporting U2F and Fido2 keys.

I use a Yubikey Neo (older than the YK 4) atleast once a week with Win 10 1909.  That key is over 5 years old now and continues to work just fine.

Also "New Edge" across all versions of Win 10 and Win 7 fully supports U2F from RP.   Most RP are now converting to WebAuthn for Safari and other browsers support.

Speaking of Safari, my Neo works just fine with Safari on iOS and OSX.

If you have a YK4 and a iPhone camera connector adaptor you can give it a try.   However given that a iPhone camera connector is about the same price as a Yubikey 5Ci with a lightning connector dont opt for the camera connector unless you really want one.

Any U2F key with NFC works with iOS now.

I hope that helps

Contact me directly if you are still having issues with your key.   I may be able to tell you what is up.

Michael C

unread,
May 5, 2020, 6:20:02 AM5/5/20
to FIDO Dev (fido-dev)
Hi Emil. Thanks for getting back to me.

It is the Windows Hello component that is broken and yes, web applications continue to work. All this agile processes must have dropped the fact that there are customers still using CTAP1 (thanks for the reminder about it being renamed). I'm guessing that they must have talked to all their most important customers to ensure they've all migrated to FIDO2 capable security keys before they did this.

I'll look at acquiring the YubiKey 5 NFC shortly to cover my shortfall but in the meantime, am filling the gap with my backup Yubico Security Key with FIDO2 support!

On Monday, May 4, 2020 at 9:20:21 PM UTC+10, Emil Lundberg wrote:

Hi Michael,

I cannot speak for Windows Hello, but U2F authenticators (including YubiKey 4) are and will remain supported by WebAuthn - although they do not support some new features like PIN/biometrics or client-side-discoverable credentials (AKA resident keys).

Note that the term "U2F" spans both a browser-to-authenticator protocol (now renamed to CTAP1) and an in-browser JavaScript API. WebAuthn replaces the U2F JavaScript API, but still supports CTAP1 authenticators.

Emil Lundberg

Software Developer | Yubico


On 2020-05-04 02:38, Michael C wrote:
Happily using U2F security keys from Yubico for some time and then my normality just went out the window when Microsoft Windows 10 was updated to 1909 from 1903.

My Yubico 4 USB token is no longer recognised as a security key under Windows Hello.

Has Microsoft just taken a position with dropping support for it under Windows Hello or has FIDO given them that guidance by telling them U2F has been replaced by FIDO2 and therefore, everyone should just drop the hat and move on?
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido...@fidoalliance.org.

Michael C

unread,
May 5, 2020, 6:23:18 AM5/5/20
to FIDO Dev (fido-dev)
Hey John. Thanks for chiming in.

Yes, you're correct. All web applications continue to work fine. I am just a little bruised by the fact that Microsoft decided to drop OS level/Windows Hello local and AD sign in support for FIDO UFC/CTAP1 without any kind of comms to that effect in Windows 10 Version 1909. Or maybe I missed the official announcement?

Appreciate your confirmation though.

All the best.
To unsubscribe from this group and stop receiving emails from it, send an email to fido...@fidoalliance.org.
Reply all
Reply to author
Forward
0 new messages