https://www.yubico.com/blog/google-chrome-u2f-api-decommission-what-the-change-means-for-your-users-and-how-to-prepare/ * Contact sales * Support * Resellers * English + Francais + Deutsch + Ri Ben Yu + Espanol + Svenska Skip to content Yubico * [Search] [ ] + o * Why Yubico + o # Why Yubico o o + o # For enterprises # For SMBs # For individuals # For developers o o # Yubico app on mobileNot all authentication is created equal # One YubiKey 5C NFCOne key for many applications # Outside of Google buildingProven at scale at Google + o + o * Products + o # Products + o # Hardware # YubiKey 5 Series # YubiKey 5 FIPS Series # YubiKey Bio Series # Security Key Series # YubiHSM o # YubiEnterprise Services # YubiEnterprise Subscription # YubiEnterprise Delivery # YubiCloud # Software # Yubico Authenticator # Computer login tools # Software Development Toolkits o # Need some help? # Find the right YubiKey # Works with YubiKey # How to setup your YubiKey o # YubiKey in packagingSecure remote workers with YubiEnterprise Delivery + o + o + o + o + o * Solutions + o # Solutions + o # Use Cases # Zero Trust framework # Modernize your multi-factor authentication # Go passwordless # Enhance your Identity Access Management solution # Protect hybrid and remote workers # For compliance # Protect your Microsoft ecosystem # Protect your Salesforce workspace # See more o # Industries # High tech # Federal government # State and local government # Financial services # Healthcare # Retail and hospitality # Manufacturing # Energy and natural resources # See more o # Hand by YubiKey on keyringStrong authentication for remote workers # Plugging in a YubiKeyYubiKey + Microsoft. Defense against account takeovers. + o + o + o + o + o * Resources + o # Resources + o # Learn # Cybersecurity glossary # Authentication standards # Resource library # Developer program # Product briefs # Solution briefs # COVID-19 resources o # Best practices # Get a pilot started # White papers # Webinars # Success stories # Case studies # Yubico Blog o # Under a bridgeWhite paper: Bridge to Passwordless best practices # Under a bridgeWhite paper: Accelerate Your Zero Trust Strategy with Strong Authentication + o + o + o * Company + o # Company + o # Who we are # About us # The team # Talk to us # Contact sales # Events # Press # Yubico Executive Connect o # What we do # Innovation history # Blog # Join us # Careers # Partner programs # Affiliate program o # Finger Pressing YubiKey ButtonSecure it Forward: One YubiKey donated for every 20 sold # Group of Yubico EmployeesAt Yubico, people come first. Join our global mission * Support + o # Support + o # Get started # Find the right YubiKey # Set up your YubiKey # Downloads # Support articles o # Services # Support Services # Professional Services o # Additional resources # Works with YubiKey # Buying and shipping information # Security advisories # Help center # Technical documentation + o + o + o * * Contact sales * Resellers * * Language + English o Francais o Deutsch o Ri Ben Yu o Espanol o Svenska [search] [ ] [close] Yubico Yubico Store View Your Shopping Cart Google Chrome U2F API decommission: What the change means for your users and how to prepare [f9da380023] Karen Larson February 2, 2022 4 minute read [Google-Chrome-U2F_Blogcrown] With advancement often comes change. Some changes are exciting, like providing new features and broader support, while other changes can be a minimal bump in the road or, in extreme cases, cause adverse effects on end users. With Yubico's commitment to keeping our customers updated on the latest in changes to security protocols, we wanted to be sure you are aware that Chrome has deprecated the Universal 2nd Factor (U2F) API, and will be removing it entirely with the Chrome v. 98 update in February 2022. If your organization is currently utilizing U2F in your product or web-based service, with some planning and simple code updates, you'll continue to be able to provide user continuity and get your services switched to the WebAuthn API in Chrome, all while maintaining compatibility with existing YubiKeys. If you're impacted by this change, and want to learn more, read below for details on how to mitigate this issue. Additionally, please register for our February 22nd webinar where we will dive deep into this topic in an interactive WebAuthn session. What does this mean, and how will it affect my users? The important aspect to note is that U2F means two things in Chrome: it is an authentication protocol as well as an API. The forthcoming update means only the U2F API is being deprecated and that authentication with the U2F protocol will continue to be supported with the WebAuthn API. The original way of implementing U2F with Chrome was through the U2F API. Since that time, the WebAuthn protocol has been adopted. These two protocols might not look related, but U2F is the precursor to WebAuthn. The WebAuthn spec was designed with backward compatibility in mind so that U2F will work with WebAuthn. The U2F API depreciation means that services will need to migrate to the WebAuthn API to continue supporting phishing-resistant, multi-factor authentication (MFA) with the YubiKey on their services. Furthermore, adopting the WebAuthn API will increase the number of places that a user can utilize their YubiKey as it is supported by other major browsers such as Safari and Edge. In November 2021, with Chrome version 95, users on services that implemented the Chrome U2F API began seeing a warning that the service they are using is using the U2F API that is being deprecated by Chrome. This could be a little alarming for your user community as it will be shown during the authentication process and instruct them to contact the service provider to make the changes. [Google-Chrome-U2F-Blog-Image] When is the update happening? The U2F API will be fully deprecated and removed with Chrome v. 98, which is scheduled for release this month (February 2022). At that time, the U2F API will stop working, however there are options for time extensions which we have listed below If unaddressed, this change will cause different errors for the end user depending on how errors are being handled by the service and the end user will be prevented from authenticating to the service using their U2F devices. For more details, Google has outlined the Chrome versions and timeline here. How do I migrate? As mentioned previously, the WebAuthn API is backward compatible with U2F credentials. To migrate, there are a few steps that service owners need to take to ensure their users can continue to use existing U2F credentials. The key changes on client side are to change the U2F API register method to call the WebAuthn API navigator.credentials.create() method. The U2F API sign method will need to be updated to call the WebAuthn API navigator.credentials.get() method. Changes to the backend service or replying party (RP) may be needed as well depending upon how U2F was implemented. Please review the Yubico documentation regarding moving from U2F to WebAuthn for more details. This documentation is written for the Yubico open source WebAuthn server, so please keep in mind that your implementation may be different. What if I need more time? If you need more time to migrate, there are a few ways of getting an extension for your service to continue using the U2F API until July 2022 through Google. Options are to enroll in the deprecation trial or be an enterprise that has turned on U2fSecurityKeyApiEnabled. - To learn more about Google Chrome U2F decommission and what's coming up next in the world of WebAuthn, be sure to sign-up for our upcoming webinar here. GoogleGoogle ChromeMFAU2FWebAuthn Share this article: --------------------------------------------------------------------- Recommended content Thumbnail authenticationFIDOFIDO U2FMFAYubiEnterpriseYubiKey Salesforce is requiring MFA: Why this matters and what you can do As sophisticated cyberattacks continue their relentless pursuit towards SMBs and enterprises, companies must prioritize improvements to their cybersecurity infrastructure to better secure their customers, employees, and partners. Username and passwords no longer provide adequate security against the ever evolving landscape of cyberattacks. Late last year, Salesforce took a strong and decisive stance, announcing that beginning ... Read More [caret] Thumbnail authenticationgovernmentMFAphishingprivacyzero trust Yubico's top information security recommendations for 2022 Last week, we shared a look back at 2021, which experienced an increase in the number of high profile security breaches, many involving devastating ransomware attacks. Attackers preyed on traditionally softer targets like hospitals, schools, and local governments, in addition to the continued focus on the supply chain. Although the root cause for many of ... Read More [caret] Thumbnail MFAmultifactor authenticationpasswordlessphishingYubiKey 2021: Both challenging and promising for cyber security 2021 was a challenging, yet promising year for cyber security. This past year, we saw critical infrastructure, which we may have taken for granted in the past, breached and disrupted. My father, who lives in Sweden, could not buy food in his local grocery store, and coworkers and friends on the east coast in the US ... Read More [caret] Thumbnail authenticationdata breachMFAmultifactor authentication MFA implementation and the users you need to reach: overachievers, traditionalists and cautious employees When a breach investigation team assembles after an incident at a company or organization, misinformed users often get added to the 'suspects list' because accidents happen that sometimes lead to holes in security. Though everyone in a company means well, just like accidentally dropping a glass or losing your car keys, the reality is that ... Read More [caret] Yubico --------------------------------------------------------------------- * Find + Product finder quiz * Set up + Find set-up guides * Buy + Buy online * Sign up + Get Yubico updates --------------------------------------------------------------------- * Why Yubico * Products + YubiKey 5 Series + YubiKey 5 FIPS Series + YubiKey Bio Series + Security Key Series + YubiHSM + YubiEnterprise Services + Yubico Authenticator * Solutions to secure your organization + Remote workers + Passwordless + Microsoft ecosystems + Privileged access management + Zero Trust framework + Mobile restricted environments + See all * Resources + Resource library + Cybersecurity glossary + Authentication standards + Developer program + COVID-19 resources * Company + About us + Careers + Affiliate program + Partner with Yubico + Press room + Yubico Patents * Support + Help + Downloads + Support Services + Professional Services + Contact support --------------------------------------------------------------------- Language * English + Francais + Deutsch + Ri Ben Yu + Espanol + Svenska * Yubico (c) 2022. All Rights Reserved. * Sitemap * Cookies * Legal * Privacy * Terms of use * Trust We use cookies to ensure that you get the best experience on our site and to present relevant content and advertising. By browsing this site without restricting the use of cookies, you consent to our and third party use of cookies as set out in our Cookie Notice. PreferencesAccept all Yubico Privacy and Cookies Policy Close Privacy Overview Yubico.com uses cookies to improve your experience while navigating through the website. When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. Blocking some types of cookies may impact your experience on our site and the services we are able to offer. Strictly necessary cookies [*] Strictly necessary cookies Always Enabled These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Functional cookies [ ] functional These cookies enable the website to provide enhanced functionality and personalization. They may set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Performance cookies [ ] performance These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Targeting cookies [ ] advertisement These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Uncategorized [ ] uncategorized Undefined cookies are those that are being analyzed and have not been classified into a category as yet. Save & Accept