The specifics depend on the use case, but even if you fall back to something less secure like an email and TOTP, you still come out ahead overall because most authentications are done by U2F.
Channel ID has been depreciated and replaced by Token Binding but I'm sure U2F sites don't use either. The real protection is quite simple: incorporating the origin (domain name) in the protocol. So phishers would get a bad response from the token.
I tried a Trezor 1. It prompts me to press the button, but then the browser prompts me to give permission for AWS to see the manufacturer/version of the device and then gives me the error "Attestation Certificate is not valid."
They specifically only support YubiCo at the moment, to the point that Chrome asked me if AWS could read my Security Key manufacturer and model when I pressed the button on my 4C Nano.
The manufacturer is irrelevant to the protocol, they may have asked you for these details but they do not matter. You can even emulate the key in software if you wanted.
Incorrect - everything related to the protocol, including becoming a compatible vendor, is managed by the fido alliance which Yubico is a member of. The U2F specification requires you to parse the certificate, and verify the response message against the cert's public key when registering the device with your application. You can choose to only accept certificates whose public key comes from a certain manufacturer, but that is up to the discretion of the implementer and is not required. If you want to read a full overview of the specification you can read the following document
It's not the manufacturer that AWS wants to read, it wants the attestation certificate, and Yubico's are signed with their Root CA, so it's not something you can emulate. https://developers.yubico.com/U2F/Attestation_and_Metadata/
I tried setting up my AWS account with a Tomu setup with U2F firmware and AWS rejected it.
Yeah I knew that it didn't matter to the protocol, I only made my comment because I could've absolutely sworn I read in docs or their UI that literally _only_ YubiCo was supported, as in no other U2F would work. Can't find it now, so my bad!
It’s not as big of a deal as you might expect because:
- The spec requires providers to allow independent addition / removal of multiple keys per account, so it’s easy to manage backup U2F keys.
- Providers can use any backup authentication method they want. This includes SMS codes, TOTP / HOTP apps, email resets, or maybe VCing in to tech support.
And even if the backup method is less awesome (e.g. sms codes) it still reduces your risk because because you use it less often.
It reduces the urge to whip out my mobile device at every moment of mild boredom, and collaborative apps like ported board games shine.
The one downside is that I look pretty silly when taking photos.