- Use a U2F device as an alternative to authenticator apps. - Best example of a U2F device is Yubico's [FIDO U2F Security Key] - https://www.yubico.com/ - https://www.yubico.com/products/yubikey-hardware/ Suggested in gitlab-ce#2979 (comment 4868554) /cc @JobV @matt.wilkinson ## Features This serves as an umbrella issue for all U2F features: - [x] Register U2F device and authenticate with it (gitlab-ce!3905) - [x] Require authenticator to be set up before enabling U2F (gitlab-ce#17333) - [x] Support for Firefox via extension (gitlab-ce#17341) - [ ] Add an identifier for each U2F device (gitlab-ce#17334) - [ ] More granular control over disabling U2F devices (gitlab-ce#17335) - [ ] Honor the "Remember Me" parameter (gitlab-ce#18103) - [ ] Polish up the U2F flow (gitlab-ce#18556) - [ ] Register an U2F device should trigger an email and an audit log event (gitlab-ce#18557) - [ ] Support for more browsers (gitlab-ce#22938 and gitlab-org/gitlab-ee#778) ## TODO After Core Implementation - [x] Test with other vendors' U2F devices - [x] Order non-yubico U2F devices - [x] Test with non-yubico devices - I've tested our U2F implementation with these three devices, with no issues: - Yubico FIDO U2F: https://www.amazon.com/dp/B00NLKA0D8 - Plug-Up Security Key: https://www.amazon.com/dp/B00OGPO3ZS/ - HyperFIDO Security Key: https://www.amazon.com/dp/B00WIX4JMC - [ ] Audit ruby-u2f gem and u2f javascript API [FIDO U2F Security Key]: https://www.yubico.com/products/yubikey-hardware/