Support for YubiKeys and U2F devices is now available in Pritunl Zero. This allows adding U2F verification to admin logins, user logins, web service logins and users approving SSH certificates. U2F authentication is included in the free version of Pritunl Zero.
Authentication with U2F devices provides the highest level of authentication currently available in a web browser. A U2F device provides the strongest proof that the user is uniquely in possession of the device and manually activated the device when authenticating with a button on the device. When a U2F device is registered to a service the registration is bound to a specific U2F metadata URL. This metadata contains a list of allowed origins that the browser will respond to. If a phishing attack is attempted the browser will block the attempt when the URL is not found in the origins. Pritunl Zero will automatically manage the metadata file to allow new services to be added and removed without invalidating the U2F registration.
All devices that support the U2F open standard will work but the devices below are the most common and were all tested with Pritunl Zero. The YubiKey 4 and YubiKey Neo are the only devices that will also work with a Pritunl VPN server which uses YubiKey OTP authentication. These two keys are also supported by Duo using OTP.
- YubiKey Security Key v1 (USB-A)— Discontinued
- YubiKey Security Key v2 (USB-A)— $20
- YubiKey 4 (USB-A, USB-C) — $40
- YubiKey Neo (USB-A, NFC) — $50
- Feitian MultiPass FIDO Security Key (USB-A, NFC, Bluetooth)— $25
Below is the current platform support for U2F. Communication with the U2F device is handled by the web browser and none of the platforms require drivers or any software to be installed.
- macOS — USB
- Windows — USB
- iOS — NFC possible but currently blocked in the web browser by Apple
- Android — USB, NFC, Bluetooth
- ChromeOS — USB, Google Pixelbook has built in U2F
Authenticating with Pritunl Zero
The order of authentication when all methods are enabled is primary, U2F then secondary. For the first login before a U2F device is registered it is primary, secondary then register U2F.
Users can login to the user console to manage their U2F devices. To add a new device the user must authenticate with an existing U2F device and if enabled verify secondary authentication. If a user deletes all U2F devices the user will be disabled until an administrator reactivates the account.
Administrators can add and remove U2F devices from the user view page in the management console. Administrators are not required to authenticate existing U2F devices when adding new ones.