I have been a user of hardware security tokens for a long time. My key-chain always has a Feitian MultiPass FIDO Security Key on it at all times to allow me to authenticate to many web services, including the admin section of KMyers.me. I was shocked to learn that Google has hidden a fully functional U2F token in the Pixelbook. I doubt you really need another reason to buy a Pixelbook but this is really a massive feature that was never officially announced. Here is how you can activate it
U2F or Universal 2 Factor authentication is a standard that makes your significantly more secure while online by requiring something in addition to your username/password to prove your identification. This is typically done with a unique hardware token that issues a cryptographic signature to a web service. U2F tokens are normally very inexpensive and easy to get.
On a side note – I can only confirm this is on the Pixelbook. I have tested it with a ASUS Chromebook Flip, HP Chromebook X2 and Samsung Chromebook Plus – only the Pixelbook seems to have this feature although the command below is still exposed on all chromebooks I tested.
At the moment, you must be running Chrome OS 68.0.3440.15 or higher which is currently in the developer channel. Once enabled, you simply need to open a Chrome Shell (Ctrl + Alt + T) and run the following command;
u2f_flags g2f
This command activates a virtual U2F token and sets it to the Pixelbook’s power button. This means that any website that allows U2F tokens such as the YubiKey will now allow you to add your Pixelbook’s built in U2F token by simply tapping the power button on your Pixelbook when the website prompts you to “insert and press the button on your token”.
There are several services such as GMail, NextCloud, DropBox and more that allow the use of U2F tokens. You can normally add multiple tokens and I highly recommend purchasing a spare and keeping it in a safe place – in the event you need to ever powerwash your Pixelbook.
If you want to give this a try, I have enabled U2F tokens on a forum that I own, https://Technical.chat. Here are the steps to register an account and setup your Pixelbook as a U2F device.
- Enable the u2f_flag as instructed above
- Goto https://technical.chat/register/ and create a new account
- Visit your account profile and select “Two-Step Verification“
- Enable “FIDO U2F” and select “Manage”
- Type “Pixelbook” or another friendly name in the “Key Name” Field and select “Add Key”
- You will see a “Activate U2F Device” box appear with the text “Please Activate your U2F device by plugging it in and pressing the button to register it” – Simply give the power button on your Pixelbook a quick press and the box will go away.
You can now test it by logging out of Technical.chat and logging back in. You may need to select “FIDO U2F” if you choose to activate other 2 factor features on that site. While you are there, feel free to drop in and introduce yourself – there are occasional prize giveaways for active members 🙂
Is there any info from Google as to whether this is using hardware-backed crypto or a software implementation?
There would have to be some hardware backing, based on the source code, this is mostly done in the TPU. I am doing a teardown later this afternoon.
I have heard about laptops that have 2fa built in to the power button etc. The main objection I have heard is that if the device is lost, the built in authenticator is lost with the device.
Not sure I fully go along with this logic however I do have my doubts of placing too much trust in a fingerprint reader on a device that will naturally be covered in fingerprints from the user.
To that end, and for the time being, I still see a role for hardware tokens and Fido devices (examples: https://deepnetsecurity.com/authenticators/fido-u2f/).