Review on Feitian EPass NFC FIDO Security by Marcus Zimmerly

This FIDO U2F security dongle works on all U2F enabled websites (including Google, Facebook and Bitbucket) and browsers (Chrome, Firefox and Brave) I've tried, although I've heard stories about sites that only work with certain key brands (philosophical error on pages of these sites, IMO). This is NOT a FIDO2 key, so it's only useful as a second factor (where your password is usually the first factor). In my experience I sometimes had to press the 'button' multiple times when using this via a USB OTG cable to my tablet. Whether this was due to issues with this device, my tablet, the OS, my apps, or the OTG cable, I'm not sure. Same goes for the key lock on my phone for NFC mode. In all cases, however, it ultimately worked. If websites tell you that your browser is not supported, search the web for instructions on how to enable U2F in your browser (Firefox in particular requires a special about:config option to be enabled for some websites). If you are wondering why U2F is better than other options, such as B. Codes sent via SMS or generated by authenticator apps, the main reason is better security. Aside from being vulnerable in other ways (e.g., stolen TOTP secrets, phone carrier social engineering, stolen SIM cards), these other methods won't protect you from a well-organized phishing attack - a phisher who Force them to choose your password A fake website can easily ask you for an SMS/authentication code and use it and your password to access your account. Some websites use risk-mitigating measures, e.g. B. adding an IP-based location to a text message or warning about new/suspicious logins, but U2F offers a much better protection: if you are on fakebank.com, the U2F key adds this information to the reply that it produces and legitimate Bank.com will not accept it. This device also includes some other "smart card" features, but I found these to be of limited use and not well documented. For example, it's somehow possible to store RSA public/private key pairs here for use with a computer, but I haven't been able to get this to do anything useful (using opensc on Linux). Feitian has several tools that allow you to choose a PIN for this feature and use it to automatically enter some forms of OTPs, but I didn't find this feature necessary/useful and don't use it.