Yubico Forum

I am quite confused trying to reconcile one of the U2F claims and the actual behavior I am witnessing.

Specifically, the following claims (from fido-u2f-overview-v1.0-rd-20131008, Section 12):

• A U2F device does not have a global identifier visible across online services or websites.
• A U2F device does not have a global identifier within a particular online service or website.
• A user has to activate the U2F device (i.e.,'press the button') before it will issue a key pair (for registration) or sign a challenge.
• If a user has registered multiple U2F devices to a particular account, then during authentication all the Key Handles are sent by the origin to the intermediate page. The intermediate page call the signature javascript function with the array of Key Handles and sends the aggregated response back to the origin. Each attached activated U2F device signs for those Key Handles in the array that it recognizes. (from section 11.2 of the above-referenced overview)

Thus, it is implied that the only way for a U2F token to identify itself to a service is to actually authenticate itself by signing a challenge — the act of which requires some form of user-input before proceeding.

However, this is demonstrably not the case — at least not for Google*.

For example, let's say I have two security keys. One is associated with my Google account (Security-Key-A), and one isn't (Security-Key-B). I connect both of them to my computer and, using Chrome, try to log into my google account. When I do this, the only security key that starts blinking is the security key that is associated with my account.

More tellingly, if I remove Security-Key-A, leaving ONLY Security-Key-B connected, and then try to log in, I get the following message from the google login process: "The Security Key you're using isn't yet registered for this account."

Note that, in both cases, I have not yet pressed the button on either security key. However, somehow Google magically knew that the connected security key wasn't the one it wanted to hear from. This evidence leads me to believe that there is a capability for a website to detect/poll-for the presence of specific security keys without any action by the user or even a visible indication that such a scan has occurred.

Am I misunderstanding something?


* Note that the Yubico U2F demo does not behave in this way.

Good question!

There's a control byte when authenticating that can be set to 0x07 ("check-only"). From the U2F specs:


The reason why you're not seeing this behavior on Yubico's U2F demo site is most likely because the U2F extensions behaves differently than the built-in Chrome U2F support (which is currently limited to Google domains, but won't be soon).