Add Two-Factor Authentication to Your Apps

Recent years have seen repeated website hacks, with hackers capturing many user details. Even a tech-savvy firm like Uber isn’t immune: the ride-sharing giant faces scrutiny for a 2016 hack that swiped data from 57 million passengers and drivers.

You can now download a collection of 320 million passwords from Troy Hunt, the developer and security evangelist behind With GPU-powered hacking software, many thousands of password hashes can be broken per second, revealing the clear text password. (My current passwords thankfully haven’t turned up in any online breaches; according to haveIbeenpwned, one of my two emails has turned up in nine breaches and the other one in five.)


So what’s the answer to better security? One way is 2FA, short for ‘Two-Factor Authentication.’ To use a 2FA-enabled website, you need both your password and a “second factor,” such as SMS verification. I use 2FA on my email accounts and any website that involves money (such as PayPal). If you’ve ever used your phone to input a code before you can login to a website, that’s 2FA in action. It can really save your skin if you reuse passwords on different websites and one site ends up compromised.

If you have users logging into your website, why not secure them with 2FA? Although it can be expensive sending SMS messages (especially to other countries), there is a newish standard (just three years old), developed by Google and Yubico called FIDO U2F. This has been supported on Chrome and the Firefox nightly build since September.

The FIDO part of U2F is an open standard that includes dual-factor via a device such as a dongle. This is the Yubikey 2nd Factor device that we’ll examine through the rest of this article. The U2F protocol is used with USB devices such as the YubiKey, but there are other authentication methods using mobile devices, fingerprint readers, and so on. If your phone has NFC, it can read a more advanced Yubikey, such as the Yubikey NEO, by swiping near it; otherwise, you plug your Yubikey into a USB port on your desktop PC or laptop.


The simplest key, a small USB dongle with a small button, costs around $18. Plug it in, then go the Yubico Demo site. Register a user name and password, and the Yubikey’s button will start flashing. Once you touch the button, you are authenticated. This generates a public/private key using the sha256 hash algorithm with RSA Encryption. (You can have any number of services supported.)

To use the key, you have to authenticate against a server using a simple REST API—either against the Yubico server or one you set up yourself. Yubico provides source code for a U2F server in C, Java, Python and PHP. There are also 286 repository results on Github for U2F; for example, there’s code for U2F servers in Go, Ruby, Typescript and others.

There are other models of keys made by Yubico, supporting other security protocols; other manufacturers also support U2F, including AdaFruit, Feltian and HyperFIDO. They all work in the same way.

The main use of U2F is websites, but it can also be leveraged for desktop applications and logging into Windows, Mac, or Linux. There are two connector libraries in C and Python; the Python library works with Python 2.7 and 3.3 onwards (this Python page shows the dependencies and other libraries you need before installing). Although it’s a small download (51KB), it takes a couple of minutes to install it. Make sure you install the dependencies first, as well.

Programming the Yubikey

You access the authentication server via a RESTful interface. This can be Yubico’s server or your own.

First you need to run the server python-u2flib-server. If you’ve downloaded this from the site, you may experience a ‘No Module named webob.dec’ error, as I did on Ubuntu 17.04. The fix is to just install webob with this pip command:

pip install webob

After that, the server runs fine on port 8081.

Now that’s done, you can start registration with this command:

curl http://localhost:8081/enroll

This returns a JSON string:

{"appId": "http://localhost:8081", "registeredKeys": [], "registerRequests": [{"version": "U2F_V2", "challenge": "9TCtiRRLBFqMokOWfepjej99lMKQhZfm20Sgtay-FMs"}]}

We need just four functions to implement this in code: Start registration, Finish registration, Start authentication and Finish authentication. You can see all of them on this page; this is the one needed to start the registration:

def start_registration(username):

challenge = u2f_lib.start_registration(APP_ID)

challenge_store.set(username, challenge)

return challenge

This can be called from desktop applications or a web server. The diagrams on this page show how authentication is done, and can mitigate phishing and Man in the middle attacks.


I think the time is right to build U2F into your security for your websites or desktop applications (there are already Django and WordPress plugins). The beauty of the system is that you can even leave the key plugged in, as a remote attacker can’t press the button.

The Yubikey is lightweight, and I imagine repeated insertions and removal will slowly wear it out. To prevent any downtime, you should buy two keys and keep the second one as a spare for when your main key fails. No gadget lasts forever!