[ANN] u2f - universal second factor


it is our pleasure to announce the just released opam package u2f, which is a server side implementation of the FIDO standard for two-factor authentication using a special device (yubikey etc.). The device does challenge-response authentication with the server using public key cryptography.

The implementation is stateless and does not use a specific IO library, but only achieves the logic for constructing a registration request, verifying a response thereof, and authorization requests with responses thereof. Please have a look at GitHub - roburio/u2f: U2F (FIDO Universal 2nd Factor) in OCaml if you’re interested. It is licensed under the permissive 2-clause BSD license.

We use this library in an example server (in the bin directory) that uses dream. The live server is online at https://u2f-demo.robur.coop – please let us know if you run into any trouble, or open an issue on the GitHub repository.

One question though: we’re unable to generate the documentation from the mli – already asked on discord with no result. Anyone with a better understanding of odoc etc. can take a look why dune build @doc outputs a nearly empty file? Thanks a lot :slight_smile:

The development was sponsored by skolem.tech.


Hi :slight_smile: Thanks for this neat library! I look forward to trying it out with my Yubikey.

Re. your documentation generation issue: I think the problem is that your library stanza is missing a public_name field. I made a quick PR to add one here: Add a `public_name` field to the `u2f` library stanza by CraigFe · Pull Request #3 · roburio/u2f · GitHub.


Thanks a lot, merged and released a 0.1.1 :slight_smile:

1 Like

I would add a link here: GitHub - herrjemand/awesome-webauthn: A curated list of awesome WebAuthn/FIDO2 resources

I briefly helped a committee at a former employer evaluate webauthn implementations.

Thanks for the pointer – though I’m not entirely sure, they list webauthn projects (which is CTAP/FIDO2 – a slightly more complex standard than U2F) – while we’re at the moment sticking to the basic U2F standard (FIDO 1.2). A device with U2F support can be used with webauthn, but as mentioned there’s some more complexity (and data) involved (also the specification is much bigger).