Google Chrome U2F API decommission: What the change means for your users and how to prepare

With advancement often comes change. Some changes are exciting, like providing new features and broader support, while other changes can be a minimal bump in the road or, in extreme cases, cause adverse effects on end users. With Yubico’s commitment to keeping our customers updated on the latest in changes to security protocols, we wanted to be sure you are aware that Chrome has deprecated the Universal 2nd Factor (U2F) API, and will be removing it entirely with the Chrome v. 98 update in February 2022. 

If your organization is currently utilizing U2F in your product or web-based service, with some planning and simple code updates, you’ll continue to be able to provide user continuity and get your services switched to the WebAuthn API in Chrome, all while maintaining compatibility with existing YubiKeys. If you’re impacted by this change, and want to learn more, read below for details on how  to mitigate this issue. Additionally, please register for our February 22nd webinar where we will dive deep into this topic in an interactive WebAuthn session.

What does this mean, and how will it affect my users?

The important aspect to note is that U2F means two things in Chrome: it is an authentication protocol as well as an API. The forthcoming update means only the U2F API is being deprecated and that  authentication with the U2F protocol will continue to be supported with the WebAuthn API

The original way of implementing U2F with Chrome was through the U2F API. Since that time, the WebAuthn protocol has been adopted. These two protocols might not look related, but U2F is the precursor to WebAuthn. The WebAuthn spec was designed with backward compatibility in mind so that U2F will work with WebAuthn.

The U2F API depreciation means that services will need to migrate to the WebAuthn API to continue supporting phishing-resistant, multi-factor authentication (MFA) with the YubiKey on their services. Furthermore,  adopting the WebAuthn API will increase the number of places that a user can utilize their YubiKey as it is supported by other major browsers such as Safari and Edge.

In November 2021, with Chrome version 95, users on services that implemented the Chrome U2F API began seeing a warning that the service they are using is using the U2F API that is being deprecated by Chrome.


This could be a little alarming for your user community as it will be shown during the authentication process and instruct them to contact the service provider to make the changes.

When is the update happening?

The U2F API will be fully deprecated and removed with Chrome v. 98, which is scheduled for release this month (February 2022). At that time, the U2F API will stop working, however there are options for time extensions which we have listed below

If unaddressed, this change will cause different errors for the end user depending on how errors are being handled by the service and the end user will be prevented from authenticating to the service using their U2F devices. 

For more details, Google has outlined the Chrome versions and timeline here.  

How do I migrate?

As mentioned previously, the WebAuthn API is backward compatible with U2F credentials. To migrate, there are a few steps that service owners need to take to ensure their users can continue to use existing U2F credentials.

The key changes on client side are to change the U2F API register method to call the WebAuthn API navigator.credentials.create() method. The U2F API sign method will need to be updated to call the WebAuthn API navigator.credentials.get() method.

Changes to the backend service or replying party (RP) may be needed as well depending upon how U2F was implemented.

Please review the Yubico documentation regarding moving from U2F to WebAuthn for more details. This documentation is written for the Yubico open source WebAuthn server, so please keep in mind that your implementation may be different. 

What if I need more time?

If you need more time to migrate, there are a few ways of getting an extension for your service to continue using the U2F API until July 2022 through Google. Options are to enroll in the deprecation trial or be an enterprise that has turned on U2fSecurityKeyApiEnabled.

– 

To learn more about Google Chrome U2F decommission and what’s coming up next in the world of WebAuthn, be sure to sign-up for our upcoming webinar here

Talk to our teamTalk to our team

Share this article:


  • Ditching passwords for good: Celebrating the inaugural World Passkey DayHave you ever been stuck in a relationship with someone who constantly lets you down, exposes your secrets, and leaves you vulnerable? Odds are you cut your losses, packed up your things and moved on. Today is the day to do the same with your passwords: say goodbye forever! The reality is a majority of […]Read morepasskeyspasswordlessWorld Passkey Day
  • Digital security’s unique role in protecting our environmentAs sustainability expands to include social, economic, and technological challenges, cybersecurity has emerged as a top global threat – with cybercrime projected to cost $12 trillion this year. Stolen credentials and phishing account for 80% of breaches. At Yubico, making the world more secure is just part of how we care for the world around […]Read moreCSREarth DaySecure It ForwardSustainability
  • Breaking down Australia’s plan to combat AI-driven phishing scamsAcross Australia, cybercrime continues to be a major challenge impacting businesses, critical infrastructure and consumers alike. The use of AI by bad actors across the spectrum of cybercrime is on the rise, and as a result, credential phishing scams are becoming increasingly sophisticated. AI is effectively helping to lower the cost of phishing and increase […]Read moreAIAPACAustraliaphishing
  • 5 fast cybersecurity tips to clean up your digital lifeWith today being Identity Management Day, now is the perfect time to take stock of your online presence, update security settings, and ensure that your personal data remains protected from cyber threats like phishing. We’re also seeing increasing concerns of DeepSeek and other AI tools around data privacy making these kinds of attacks more successful […]Read morebest practices