Separate "Hardware" column, differentiate OTP vs U2F

[qJake]

The "Hardware" column has become ambiguous with the adoption of U2F alongside hardware OTP solutions.

I suggest separating or expanding this column to track websites that support U2F specifically (not just OTP or hardware-based revolving passcodes), especially with companies like Yubico now bringing U2F to the masses.

For example, Bank of America is listed as having Hardware Auth, but its hardware auth is simply a revolving passcode solution (a'la RSA SecurID), so it's unclear what specific hardware is supported, or whether or not it's proprietary.

There are a few different possible approaches we could take here. Ideas?

[RichJeanes]

Things like this have come up several times with people wanting to add more specificity (eg. standard vs proprietary software implementations). Our current position is that we would rather keep it simple and avoid adding more columns (especially with the performance issues we already see). This is part of the reason the doc links are included and we try to encourage the use of the most useful doc links possible (which would ideally include what hardware they support).

It also has the potential to turn into a slippery slope. Once we differentiate the U2F hardware standard, someone could request that we make another column for differentiating between things like YubiCo hardware OTP support vs site specific hardware tokens (eg. SecurID or others). Then we could also end up with people asking for separate software columns again.

I'll leave this open for other collaborators to give feedback, but I'm thinking their responses are going to be similar. Thank you for contributing to the discussion, though! :+1:

[smholloway]

I agree with @RichJeanes. We have to strike a balance between too little and too much information and we're already fighting to fit what we have on the site. I think the docs link is the best we can do to differentiate the various implementations.

[commonsguy]

Instead of a column, could you show the details of the hardware token via a tooltip over the checkmark icon? Or, have different checkmark icons (e.g., one with a U2F badge, one without)? There are other ways to visually represent this information, beyond having dedicated columns.

With respect to scope creep, provide a specific definition for what qualifies for special treatment (e.g., open standard).

[mxxcon]

Is there a standard u2f logo that we can use that more or less fits with the current site style? @commonsguy What other way do you have in mind?

[RichJeanes]

[commonsguy]

For a badge over the checkmark, I was thinking more of just the letters "U2F". It doesn't have to be huge (and, in the case of tooltip text, it doesn't even have to be an image). And I don't claim to be a visual designer, so there are sure to be other alternatives, and probably better ones. My point was simply that there are ways to indicate adherence to standards like U2F without additional columns and that would not (at least IMHO) massively detract from the cleanliness of the site.

[smholloway]

I appreciate the thought and conformance with our design aesthetic. I think a tooltip is preferable to a new column. That said, I just don't think we need to represent this information. If it is that important, let's make a new page for U2F and list everyone who offers it. Or fork the repo and make something like u2fauth.org that only shows U2F-compliant sites.

We chose an abstract notion of hardware because it gets around a lot of debate. Who determines the standards? Who decides what hardware types deserve an icon? What tooltip do you show if a site offers a proprietary hardware token and U2F? What if someone wants to differentiate the various other hardware authentication types? What if a site claims to be U2F but you disagree with the implementation?

In general, I feel that calling out any standard or vendor is playing favorites, which diminishes our credibility. This isn't a site to advance specific implementations or vendors. The site exists to increase awareness about two-factor authentication in all its forms.

[RichJeanes]

If you are interested in sites that support U2F, check out dongleauth.info They list U2F compliance. DISCLAIMER: DongleAuth.info is ran by NitroKey, makers of USB authentication dongles and encryption hardware.

[mxxcon]

@RichJeanes in that case maybe we can add some sort of reference page to link people to this and other similar sites? I remember a while ago somebody wanted to create a fork with password strength information...

[Carlgo11]

(Here's the fork @mxxcon mentioned http://www.dongleauth.info/)

[avandendorpe]

I think this absolutely matters, a hardware OTP token and U2F are not the same thing. Frustrating to lose the simplicity but that's just an honest representation of the ecosystem. U2F is gaining traction and is an open standard - either a service is compatible or it's not, there is (currently) no fracture in the implementations.

There's a case for waiting to see if it spreads further before making this change, but unless the trend reverses I think it is necessary. An interim measure might be to indicate where Hardware=U2F as an exception as it still has relatively low penetration.

[avandendorpe]

Also of interest, per the Firefox issue at https://bugzilla.mozilla.org/show_bug.cgi?id=1065729 the W3C is now working on the issue of web auth standards per https://w3c.github.io/websec/web-authentication-charter, and FIDO U2F has been submitted as early input.

[jamcat22]

I'm going to close this issue, as it really fits into already existing issues, like #521 and #1368.