How U2F works

Gerd v. Egidy gerd.von.egidy at
Mon Mar 6 23:32:25 CET 2017

> Frankly, I don't really understand the use case for U2F?  Why not using
> plain user certificates which is supported by browser and servers for
> ages?  Is that because the web frameworks don't have good support for
> this?

I think this is because many people consider anything that is called a 
"certificate" complicated. Probably because in the past a lot of programs had 
poor or buggy support for it and they struggled with it.

So they came up with a new brand name and standard.

But I think they messed this up: when you want an attestated U2F device, there 
is no way to backup the private key or clone it to another U2F device. So 
whenever you sign up to a new service or website, you must have your primary 
and all backup U2F devices (each with it's own key) at hand to register them 
with the service.

To have them at hand means I can't store them at a second secure location like 
a bank safe. Because I won't go to my bank safe just to be able to order at a 
new online store. Completely unpractical unless you restrict the usage just to 
a handful of key services. Or it is right back to "what was the name of your 
first pet" :(

Kind regards,


More information about the Gnupg-users mailing list