Using Hardware Token-based 2FA with the WebAuthn API

To provide higher security for logins, websites are deploying two-factor authentication (2FA), often using a smartphone application or text messages. Those mechanisms make phishing harder but fail to prevent it entirely. Firefox 60 will ship with the WebAuthn API enabled by default, providing two-factor authentication built on public-key cryptography immune to phishing as we know it today. The API is available today in Firefox Nightly, and it’s not too soon to start learning how to secure millions of users already in possession of FIDO U2F USB tokens.