[meta] Allow 2FA Login Using a U2F Device
- Use a U2F device as an alternative to authenticator apps.
- Best example of a U2F device is Yubico's FIDO U2F Security Key
- https://www.yubico.com/
- https://www.yubico.com/products/yubikey-hardware/
Suggested in #2979 (closed) (comment 4868554) /cc @JobV @matt.wilkinson
Features
This serves as an umbrella issue for all U2F features:
-
Register U2F device and authenticate with it (!3905 (merged)) -
Require authenticator to be set up before enabling U2F (#17333 (closed)) -
Support for Firefox via extension (#17341 (closed)) -
Add an identifier for each U2F device (#17334 (closed)) -
More granular control over disabling U2F devices (#17335 (closed)) -
Honor the "Remember Me" parameter (#18103 (closed)) -
Polish up the U2F flow (#18556 (closed)) -
Register an U2F device should trigger an email and an audit log event (#18557 (moved)) -
Support for more browsers (#22938 (moved) and gitlab-org/gitlab-ee#778)
TODO After Core Implementation
-
Test with other vendors' U2F devices -
Order non-yubico U2F devices -
Test with non-yubico devices - I've tested our U2F implementation with these three devices, with no issues:
- Yubico FIDO U2F: https://www.amazon.com/dp/B00NLKA0D8
- Plug-Up Security Key: https://www.amazon.com/dp/B00OGPO3ZS/
- HyperFIDO Security Key: https://www.amazon.com/dp/B00WIX4JMC
- I've tested our U2F implementation with these three devices, with no issues:
-
-
Audit ruby-u2f gem and u2f javascript API