Firefox, Security Keys, U2F, and Google Advanced Protection

Advanced Protection for Google Accounts uses a legacy web technology that is only partially supported in Firefox. Here is how you get started with physical security keys and extra protections for your Google Account in Firefox.

Should you use Google Advanced Protection

There are many reasons why you’d want to add extra layers of protection to your Google Account. Maybe you’ve got a decade worth of personal emails, important documents, or you’ve saved your credit cards and passwords in Google Chrome or Pay, or you’re an AdSense publisher and would like protect your revenue and account standing.

Google recommends that only people who require “extra protection” enable their Advanced Protection program. More specifically, Google suggest this as an option for public personas and others who might be be at a higher risk of targeted attacks against their Google Accounts. However, I would argue that the program is suitable for anyone who believes their Google Account contains anything valuable like your email, personal information, and whole digital life.

Advanced Protection shifts Google’s security model form user-convenience towards stronger security. This means you won’t be able to login to some third-party apps and websites using your Google Account. This primarily affects third-parties that accesses or manages your Google Mail or non-app specific data in Google Drive.

Two-factor login on steroids

Regular Google Accounts can boost their security by adding a secondary factor, usually in the form of the Google Authenticator mobile app that generates time-based one-time passwords that are unique to your account. If you lose or reset your phone, you can go through a few extra steps and unlink Authenticator from your account so that you can sign-in again.

Advanced Protection takes the additional layer of security offered by a second factor component to the login process a few steps further and uses physical security devices instead of relying on a mobile app. These security devices, known as security keys, come in many shapes and forms. They’re built on an open industry standard called Universal 2nd Factor (U2F) and come in wireless varieties with Bluetooth or NFC, and USB-A or USB-C interfaces.

Advanced Protection require you to add at least two security keys to your account. You can enroll more keys later if you want to keep a third backup in addition to your two primary keys. You really want to keep good care of your security keys and have at least one backup.

Unlike the regular two-factor authentication scheme, you can’t just remove the second step authentication requirement once you join the Advanced Protection program. If you lose your keys, you have to contact Google customer support and go through a long verification process and provide a lot of detailed information about your Google Account to unlock it. You can expect to lose access to your account for quite some time if you lose your security key.

Obtaining hardware security keys

Before you can enroll in the Google Advanced Protection program, you must have at least two security keys at the ready. You can use the same keys for multiple Google Accounts, and even reuse the same keys with different U2F-enabled web services.

You should keep a record of which of your keys are registered with which websites. If you lose a key or want to decommission one, you’ll need this record to know all the accounts you’ll need to update.

You can use any FIDO U2F security keys as long as they’re compatible with your devices. Google recommend you get one regular key with USB as your backup token, and one mobile-capable with wireless Bluetooth and NFC as the primary key you carry around with you. Specifically, Google recommends the YubiKey U2F (USB) and either the Feitan Multipass (Bluetooth/NFC/USB) or YubiKey Neo (NFC/USB). Bluetooth is more compatible with a wider range of devices, but the Bluetooth capabilities requires you to charge the key. NFC is less compatible with cheaper smartphones and other devices. However, neither NFC nor USB modes require you to charge the keys for them to operate.

I chose a YubiKey U2F, and a Feitian ePass (NFC/USB) as it’s about a third of the price of the YubiKey Neo as I don’t have a need for Bluetooth. (The cover photo shows the YubiKey U2F in blue and Feitan Multipass in white.)

Recent versions of Windows and macOS should immediately recognize your U2F device so you don’t need to install any drivers. Older and stale Linux distributions may not recognize your U2F device, however. You can either update your Linux distribution or copy udev definitions for your device from a newer release.

Enabling U2F support in Firefox

Firefox version 60 and newer has built-in support for a new standard for hardware security keys called Web Authentication (WebAuthn). Google doesn’t [yet] use this standard, but you can enable support for the legacy FIDO U2F protocol in Firefox version 58 and newer.

To enable U2F support, type about:config into the address field in Firefox, and press Enter. Dismiss the warning, and search for the setting called security.webauth.u2f in the list of advanced settings. Double-click on it to enable U2F support and restart Firefox to apply the change.

This setting is only intended to make Firefox compatible with legacy systems that haven’t yet migrated to the newer Web authentication (WebAuthn) standard.

Unfortunately, you won’t be able to register any new security keys to your Google Account using Firefox. Firefox only has partial support for U2F and its implementation doesn’t include key-registration. You have to use Google Chrome to add security keys and enable Advanced Protection. Once you’ve added your security keys in Google Chrome, you can use your keys to authenticate in Firefox.

Enroll in Google Advanced Protection

The first thing you’ve got to do is to put Firefox aside and either install or open Google Chrome if you’ve already got it installed. You can uninstall it after completing the setup process if you don’t want to leave Google Chrome on your system. You must use Google Chrome for the initial setup process of Google Advanced Protection, but you won’t need it afterwards.

Using Google Chrome, head to the Google Advanced Protection page on Google.com, click Get started, and complete the enrollment steps. You’ll need both your security keys at this stage.

After you’ve completed the setup process, make sure to store your security keys separately. Don’t keep both of them with you as one should serve as your backup. If you lose on of your keys, be sure to order a replacement key and enroll it as soon as possible. You can add additional security keys and manage your existing keys on the My Google Account: Sign-in options: Two-step verification page. You must have at least two keys associated with your Google Account unless you choose to disable Advanced Protection again. You’ll need to use Google chrome to manage your keys.

Authenticating with U2F in Firefox

You’ll be signed out of your Google Account everywhere after you’ve enabled Advanced Protection. Assuming you’ve enabled U2F support in Firefox, as described above, you’ll be prompted to connect your security key once you try to login to your Google Account in Firefox.

Firefox for Android

Unfortunately, you can’t use U2F with Firefox for Android as of the . However work is slowly progressing in this area; at least from the look of things in the Firefox bug tracker. You won’t be able to login to Google services on Firefox for Android after you’ve enabled Advanced Protection.

You’ll again have to rely on using Google Chrome and the Google Authenticator app to access your Google Account. The Authenticator app is only used to facilitate communication between the Chrome browser and a Bluetooth or NFC security key.

Notably, this might be a bonus security and privacy enhancing feature. Keeping your high-value Google Account in Chrome and everything else in Firefox will make it harder for Google to associate your online activities with your Google Account. It will also make it much harder for a website to impersonate Google, as you’ll know that you can’t login to Google in Firefox.