I have one of the old blue U2F tokens (~20 EUR), and pretty much only used it for GMail so far. That alone is worth it to me because many other passwords can be reset by someone that gains control over my email account.
I personally find the token much more convenient than a TOTP code via app on my smartphone. And the U2F/FIDO part is very interesting as it eliminates phishing as a risk.
I ordered a Yubikey 5 NFC just now to play around especially with the NFC part and see if I can do something useful on my phone with that. I'm still looking for a password manager that could use an NFC Yubikey to unlock it on a smartphone.
There are Password Store app for Android (by Zeapo). It can be interfaced with OpenKeychain in order to use NFC key. So I think you will be able to achieve full-featured OpenPGP encryption for your passwords using external hardware key.
The browser sends the domain as part of the request to the U2F key; so a MITM would need to be a true network-level MITM and not just a fake website MITM. The user would then have to ignore the cert error as well.
I'm not saying it's not impossible, but the it's not the primary attack U2F is designed to prevent.
well code which U2f token generate with the help of Google authenticator has ONLY 6 digits. 6 digits that's not extremely hard to brute force is that right ?
If you are using additional backup u2f token (2 tokens in total) hacker has chance 1:500 000 to find out correct PIN is my assumption right ?
You seem confused. I think you're describing TOTP, but this whole thread is about FIDO.
WebAuthn, U2F and similar FIDO based schemes are sending some public key signed blobs over the network. A PIN is purely a local protection, it's not sent over the wire. So a hacker can't just try guessing the PIN. First they need to steal your physical token, only then could they start guessing PINs for the stolen token.
I personally find the token much more convenient than a TOTP code via app on my smartphone. And the U2F/FIDO part is very interesting as it eliminates phishing as a risk.
I ordered a Yubikey 5 NFC just now to play around especially with the NFC part and see if I can do something useful on my phone with that. I'm still looking for a password manager that could use an NFC Yubikey to unlock it on a smartphone.