emmatoday's comments

I'd like to give this a try.

Very cool. For more fun shared drawing, I also love Aggie.io. Entirely HTML5 and JS, yet fairly powerful and exports to PSD.

I only wish it supported pen pressure on Linux.

Is there anything like this for MacOS?

Upgrade to organic fiber today! Only $20 more per month!

The Yubikey Neo and at least one other U2F capable device support U2F over both USB (for laptops) and NFC (for use in Chrome on Android). The authenticator is not internally powered.

U2F has a per-site key. The browser acts as an intermediary between the site and USB authenticator.

My simplified understanding is that it works like this:

The first step is registration of the authenticator with the site. The site sends a registration request to the authenticator. The authenticator generates a new key pair. It encrypts the private key with a symmetric key that never changes and never can be extracted from the authenticator. Then it sends a registration response to the site, which includes BOTH the public key and the encrypted private key. The site is responsible for keeping the keys.

Then you are ready to authenticate. The site sends a challenge request to the authenticator which is unique and probably has an expiration time. Inside the challenge is the encrypted private key. The authenticator uses the never changing symmetric key to decrypt the private key, sign the challenge, and return it to the site. Then the site checks the signature against the public key on file.

The key benefit here is that the browser will not allow a site to send a challenge which is not for it's own domain. Which means there is no way a phishing site can MITM the 2FA process. Even if they get a challenge from the real site, the browser won't let them present it to the authenticator to sign. As opposed to TOTP where the OTPs can be easily phished and used within the time window they are valid.