• This repository has been archived on 15/Dec/2020
  • Stars
    star
    2,201
  • Rank 20,960 (Top 0.5 %)
  • Language
    Swift
  • License
    MIT License
  • Created almost 8 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Software U2F authenticator for macOS

SoftU2F is no longer supported

The SoftU2F project is deprecated and no longer supported. SoftU2F was created to support Touch ID for U2F when browsers did not support it, but the functionality is now available on macOS using Touch ID in:

  • Safari (macOS 11.0 Big Sur)
  • Google Chrome

SoftU2F has several compatibility issues that will not be fixed, so we recommend switching to one of these alternatives.

Thanks to everyone who used SoftU2F over the years, and special thanks to Ben Toews for writing and maintaining the original implementation!













Soft U2F is a software U2F authenticator for macOS. It emulates a hardware U2F HID device and performs cryptographic operations using the macOS Keychain. This tool works with Google Chrome/Chromium, Safari, Firefox and Opera's built-in U2F implementations.

We take the security of this project seriously. Report any security vulnerabilities to the GitHub Bug Bounty Program.

Installing

You can download the installer here.

Usage

The app runs in the background. When a site loaded in a U2F-compatible browser attempts to register or authenticate with the software token, you'll see a notification asking you to accept or reject the request. You can experiment on Yubico's U2F demo site.

Registration

register

Authentication

authenticate

Uninstalling

Unload the launchd agent

$ launchctl unload ~/Library/LaunchAgents/com.github.SoftU2F.plist

Delete the launch agent plist

$ rm ~/Library/LaunchAgents/com.github.SoftU2F.plist

Delete the .app

$ sudo rm -rf /Applications/SoftU2F.app/

Unload the kernel extension (this may fail if a browser is still talking to the driver. Deleting the .kext and restarting the system will fix this)

$ sudo kextunload /Library/Extensions/softu2f.kext

Delete the kernel extension

$ sudo rm -rf /Library/Extensions/softu2f.kext

Tell macOS to forget about the installation

$ sudo pkgutil --forget com.GitHub.SoftU2F

Done

Security considerations

A USB authenticator stores key material in hardware, whereas Soft U2F stores its keys in the macOS Keychain. There is an argument to be made that it is more secure to store keys in hardware since malware running on your computer can access the contents of your Keychain but cannot export the contents of a hardware authenticator. On the other hand, malware can also access your browser's cookies and has full access to all authenticated website sessions, regardless of where U2F keys are stored.

In the case of malware installed on your computer, one meaningful difference between hardware and software key storage for U2F is the duration of the compromise. With hardware key storage, you are only compromised while the malware is running on your computer. With software key storage, you could continue to be compromised, even after the malware has been removed.

Some people may decide the attack scenario above is worth the usability tradeoff of hardware key storage. But, for many, the security of software-based U2F is sufficient and helps to mitigate against many common attacks such as password dumps, brute force attacks, and phishing related exploits.

Hacking

Building

You must have Xcode Command Line Tools installed to build this project.

# Install Commaned Line Tools
xcode-select --install

# Build softu2f.kext and SoftU2F.app.
script/build

Running

There are two parts to Soft U2F: the driver and the app. To use a modified version of the driver, you must disable System Integrity Protection. The app can be modified and run via Xcode normally.

Known app-IDs/facets

Every website using U2F has an app-ID. For example, the app-ID of Yubico's U2F demo page is https://demo.yubico.com. When the low-level U2F authenticator receives a request to register/authenticate a website, it doesn't receive the friendly app-ID string. Instead, it receives a SHA256 digest of the app-ID. To be able to show a helpful alert message when a website is trying to register/authenticate, a list of app-ID digests is maintained in this repository. You can find the list here. If your company's app-ID is missing from this list, open a pull request to add it.

License

This project is MIT licensed, except for the files in /inc, which are included with their own licenses.

More Repositories

1

gitignore

A collection of useful .gitignore templates
160,684
star
2

copilot-docs

Documentation for GitHub Copilot
23,229
star
3

docs

The open-source repo for docs.github.com
JavaScript
14,053
star
4

opensource.guide

πŸ“š Community guides for open source creators
HTML
12,947
star
5

gh-ost

GitHub's Online Schema-migration Tool for MySQL
Go
11,302
star
6

linguist

Language Savant. If your repository's language is being reported incorrectly, send us a pull request!
Ruby
10,684
star
7

semantic

Parsing, analyzing, and comparing source code across many languages
Haskell
8,865
star
8

copilot.vim

Neovim plugin for GitHub Copilot
Vim Script
8,286
star
9

codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
CodeQL
7,579
star
10

roadmap

GitHub public roadmap
7,393
star
11

scientist

πŸ”¬ A Ruby library for carefully refactoring critical paths.
Ruby
7,389
star
12

personal-website

Code that'll help you kickstart a personal website that showcases your work as a software developer.
HTML
7,243
star
13

markup

Determines which markup library to use to render a content file (e.g. README) on GitHub
Ruby
5,678
star
14

dmca

Repository with text of DMCA takedown notices as received. GitHub does not endorse or adopt any assertion contained in the following notices. Users identified in the notices are presumed innocent until proven guilty. Additional information about our DMCA policy can be found at
DIGITAL Command Language
5,457
star
15

swift-style-guide

**Archived** Style guide & coding conventions for Swift projects
4,770
star
16

gemoji

Emoji images and names.
Ruby
4,280
star
17

training-kit

Open source courseware for Git and GitHub
HTML
4,247
star
18

explore

Community-curated topic and collection pages on GitHub
Ruby
3,840
star
19

mona-sans

Mona Sans, a variable font from GitHub
3,680
star
20

hubot-scripts

DEPRECATED, see https://github.com/github/hubot-scripts/issues/1113 for details - optional scripts for hubot, opt in via hubot-scripts.json
CoffeeScript
3,538
star
21

choosealicense.com

A site to provide non-judgmental guidance on choosing a license for your open source project
Ruby
3,379
star
22

git-sizer

Compute various size metrics for a Git repository, flagging those that might cause problems
Go
3,160
star
23

secure_headers

Manages application of security headers with many safe defaults
Ruby
3,104
star
24

gov-takedowns

Text of government takedown notices as received. GitHub does not endorse or adopt any assertion contained in the following notices.
3,088
star
25

archive-program

The GitHub Archive Program & Arctic Code Vault
3,000
star
26

scripts-to-rule-them-all

Set of boilerplate scripts describing the normalized script pattern that GitHub uses in its projects.
Shell
2,859
star
27

hotkey

Trigger an action on an element with a keyboard shortcut.
JavaScript
2,851
star
28

relative-time-element

Web component extensions to the standard <time> element.
JavaScript
2,799
star
29

janky

Continuous integration server built on top of Jenkins and Hubot
Ruby
2,759
star
30

github-elements

GitHub's Web Component collection.
JavaScript
2,523
star
31

renaming

Guidance for changing the default branch name for GitHub repositories
2,408
star
32

view_component

A framework for building reusable, testable & encapsulated view components in Ruby on Rails.
Ruby
2,370
star
33

VisualStudio

GitHub Extension for Visual Studio
C#
2,365
star
34

glb-director

GitHub Load Balancer Director and supporting tooling.
C
2,255
star
35

accessibilityjs

Client side accessibility error scanner.
JavaScript
2,180
star
36

CodeSearchNet

Datasets, tools, and benchmarks for representation learning of code.
Jupyter Notebook
2,155
star
37

balanced-employee-ip-agreement

GitHub's employee intellectual property agreement, open sourced and reusable
2,126
star
38

github-services

Legacy GitHub Services Integration
Ruby
1,902
star
39

platform-samples

A public place for all platform sample projects.
Shell
1,885
star
40

hubot-sans

Hubot Sans, a variable font from GitHub
Shell
1,832
star
41

pages-gem

A simple Ruby Gem to bootstrap dependencies for setting up and maintaining a local Jekyll environment in sync with GitHub Pages
Ruby
1,782
star
42

india

GitHub resources and information for the developer community in India
Ruby
1,769
star
43

haikus-for-codespaces

EJS
1,753
star
44

site-policy

Collaborative development on GitHub's site policies, procedures, and guidelines
1,743
star
45

government.github.com

Gather, curate, and feature stories of public servants and civic hackers using GitHub as part of their open government innovations
HTML
1,727
star
46

advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
1,711
star
47

objective-c-style-guide

**Archived** Style guide & coding conventions for Objective-C projects
1,682
star
48

covid19-dashboard

A site that displays up to date COVID-19 stats, powered by fastpages.
Jupyter Notebook
1,644
star
49

lightcrawler

Crawl a website and run it through Google lighthouse
JavaScript
1,471
star
50

rest-api-description

An OpenAPI description for GitHub's REST API
1,372
star
51

feedback

Public feedback discussions for: GitHub for Mobile, GitHub Discussions, GitHub Codespaces, GitHub Sponsors, GitHub Issues and more!
1,359
star
52

developer.github.com

GitHub Developer site
Ruby
1,314
star
53

backup-utils

GitHub Enterprise Backup Utilities
1,190
star
54

brubeck

A Statsd-compatible metrics aggregator
C
1,185
star
55

dev

Press the . key on any repo
1,184
star
56

catalyst

Catalyst is a set of patterns and techniques for developing components within a complex application.
TypeScript
1,183
star
57

codeql-action

Actions for running CodeQL analysis
TypeScript
1,152
star
58

securitylab

Resources related to GitHub Security Lab
C
1,150
star
59

opensourcefriday

🚲 Contribute to the open source community every Friday
HTML
1,143
star
60

graphql-client

A Ruby library for declaring, composing and executing GraphQL queries
Ruby
1,139
star
61

Rebel

Cocoa framework for improving AppKit
Objective-C
1,127
star
62

gh-actions-importer

GitHub Actions Importer helps you plan and automate the migration of Azure DevOps, Bamboo, Bitbucket, CircleCI, GitLab, Jenkins, and Travis CI pipelines to GitHub Actions.
C#
982
star
63

licensed

A Ruby gem to cache and verify the licenses of dependencies
Ruby
942
star
64

.github

Community health files for the @GitHub organization
869
star
65

swordfish

EXPERIMENTAL password management app. Don't use this.
Ruby
740
star
66

details-dialog-element

A modal dialog that's opened with <details>.
JavaScript
739
star
67

stack-graphs

Rust implementation of stack graphs
Rust
725
star
68

codeql-cli-binaries

Binaries for the CodeQL CLI
725
star
69

github-ds

A collection of Ruby libraries for working with SQL on top of ActiveRecord's connection
Ruby
667
star
70

email_reply_parser

Small library to parse plain text email content
Ruby
658
star
71

vulcanizer

GitHub's ops focused Elasticsearch library
Go
657
star
72

github-ospo

Helping open source program offices get started
641
star
73

webauthn-json

πŸ” A small WebAuthn API wrapper that translates to/from pure JSON using base64url.
TypeScript
638
star
74

gh-copilot

Ask for assistance right in your terminal.
637
star
75

rubocop-github

Code style checking for GitHub's Ruby projects
Ruby
616
star
76

safe-settings

JavaScript
606
star
77

codespaces-jupyter

Explore machine learning and data science with Codespaces
Jupyter Notebook
591
star
78

dat-science

Replaced by https://github.com/github/scientist
Ruby
582
star
79

maven-plugins

Official GitHub Maven Plugins
Java
581
star
80

details-menu-element

A menu opened with <details>.
JavaScript
554
star
81

trilogy

Trilogy is a client library for MySQL-compatible database servers, designed for performance, flexibility, and ease of embedding.
C
543
star
82

freno

freno: cooperative, highly available throttler service
Go
534
star
83

smimesign

An S/MIME signing utility for use with Git
Go
519
star
84

brasil

Recursos e informaçáes do GitHub para a comunidade de desenvolvedores no Brasil.
Ruby
515
star
85

gh-valet

Valet helps facilitate the migration of Azure DevOps, CircleCI, GitLab CI, Jenkins, and Travis CI pipelines to GitHub Actions.
C#
511
star
86

include-fragment-element

A client-side includes tag.
JavaScript
508
star
87

covid-19-repo-data

Data archive of identifiable COVID-19 related public projects on GitHub
505
star
88

vscode-github-actions

GitHub Actions extension for VS Code
TypeScript
492
star
89

vscode-codeql-starter

Starter workspace to use with the CodeQL extension for Visual Studio Code.
CodeQL
477
star
90

how-engineering-communicates

A community version of the "common API" for how the GitHub Engineering organization communicates
474
star
91

Archimedes

Geometry functions for Cocoa and Cocoa Touch
Objective-C
466
star
92

codeql-go

The CodeQL extractor and libraries for Go.
465
star
93

open-source-survey

The Open Source Survey
431
star
94

synsanity

netfilter (iptables) target for high performance lockless SYN cookies for SYN flood mitigation
C
424
star
95

entitlements-app

The Ruby Gem that Powers Entitlements - GitHub's Identity and Access Management System
Ruby
409
star
96

MVG

MVG = Minimum Viable Governance
379
star
97

issue-metrics

Gather metrics on issues/prs/discussions such as time to first response, count of issues opened, closed, etc.
Python
378
star
98

roskomnadzor

deprecated archive β€” moved to https://github.com/github/gov-takedowns/tree/master/Russia
376
star
99

clipboard-copy-element

Copy element text content or input values to the clipboard.
JavaScript
374
star
100

codespaces-react

JavaScript
364
star