Its a point-to-point protocol. Its not a login and recovery flow. Its designed to be integrated in what people are already using as a direct replacement for other 2 factors, so it can be widely adopted instead of forcing everybody to something completely new.
Once this is established the hope to push the envelope further with future versions.
That's the reason this stuff gets adopted. Everybody understand that these issues still exist. Nobody believes that FIDO 1.0 is the solution for all problems that exist in auth.
I for one much rather buy two U2F sticks, then entering that stupid TOTP token one more time.
"Factor" is a marketing word. There is security threat model, and there are no "factors". u2f introduces another layer instead of fixing first one. That's why they failed - all we needed is a password replacement, not code generator on top of that.
Currently people use passwords then add TOTP to increase security.
FIDO wants to improve the situation so they introduce UAF to replace passwords, and they replace U2F to replace TOPT.
What exactly is your problem? They did exactly what you wanted, they invented UAF to improve on the first factor. For high security application you can add a second factor. Are you arguing there is never a case for a second factor?
Replacing passwords is incredibly difficult. Nobody has done it, many have tried. UAF is already supported in a wide number of hardware and applications.
You can verify PayPal transaction right now with UAF. Not exactly a small fish.
UAF does not jet have much browser support yet, everybody is waiting for Web Authentication API that is in standardization right now.
> Correct, once first layer is fixed and password-related attacks are mitigated, there's no need for u2f as it doesn't stop malware.
That's just stupid. If you use a finger print sensor as a convenient first factor then you might as well still want a second factor.
The idea that there is never a use for a second factor is just total nonsense.
> Even something as basic as hmac(masterpw, ___domain)-app would do better job than FIDO stuff altogether.
The security of that would be far, far worse. Not to mention tons of other practical problem with that idea.
> If you use a finger print sensor as a convenient first factor then you might as well still want a second factor.
You keep talking about factors, which is just a word, not a technical term. I repeat: you do not need u2f with fixed first layer. No plausible threat model. Malware attack gets delayed, not prevented. If you decide to reply please define word "factor".
The use of the term 'factor' is pretty established in any security discussion and I have heard the word mentioned in lots and lots of presentations on security conferences. So it seems to be you that has some sort of strange hang up about this.
U2F is designed to add additional security by you having to prove that you physically own something.
> you do not need u2f with fixed first layer
Again, that why there is UAF, it has nothing directly to do with U2F. In UAF you have to somehow (bio or knowledge) prove that you are who you are.
In high security application you might want to both have local authentication (UAF) and additionally prove of possession (U2F).
> Malware attack gets delayed, not prevented.
Of course it helps. If you use your laptops fingerprint reader as a first factor, somebody steals your laptop, gets the fingerprints from it, he will still not be able to access your online accounts because they need U2F.
If its a website that uses password and you get phished this will be completely useless if they don't have access to your U2F authenticater.
There's no established meaning of factor. I have trouble understanding UAF goals. We already have full disk encryption + pincodes on laptops and phones. Consider it "first factor" then? If laptop is stolen you cannot get in (see San Bernardino attacks). Yes, everyone must have it "on".
So we are left with attacks that control your computer once you unlock it. Malware. And with malware we can exploit your computer right now (no "second factor") or few days later (wait for you pressing that USB button). My point being these both cases are giving same security, but second one is much worse usability.
>If its a website that uses password and you get phished this will be completely useless if they don't have access to your U2F authenticater.
Pre-condition to this discussion is that "first factor" is not a password but some kind of client certificate, i.e. phishing and reuse is not in question. Then we are looking at what U2F offers us: horrible user experience with most browsers+devices not supporting it for the sake of just delayed exploitation? Thanks, no.
Once this is established the hope to push the envelope further with future versions.
That's the reason this stuff gets adopted. Everybody understand that these issues still exist. Nobody believes that FIDO 1.0 is the solution for all problems that exist in auth.
I for one much rather buy two U2F sticks, then entering that stupid TOTP token one more time.