Google Chrome U2F API decommission: What the change means for your users and how to prepare

With advancement often comes change. Some changes are exciting, like providing new features and broader support, while other changes can be a minimal bump in the road or, in extreme cases, cause adverse effects on end users. With Yubico’s commitment to keeping our customers updated on the latest in changes to security protocols, we wanted to be sure you are aware that Chrome has deprecated the Universal 2nd Factor (U2F) API, and will be removing it entirely with the Chrome v. 98 update in February 2022. 

If your organization is currently utilizing U2F in your product or web-based service, with some planning and simple code updates, you’ll continue to be able to provide user continuity and get your services switched to the WebAuthn API in Chrome, all while maintaining compatibility with existing YubiKeys. If you’re impacted by this change, and want to learn more, read below for details on how  to mitigate this issue. Additionally, please register for our February 22nd webinar where we will dive deep into this topic in an interactive WebAuthn session.

What does this mean, and how will it affect my users?

The important aspect to note is that U2F means two things in Chrome: it is an authentication protocol as well as an API. The forthcoming update means only the U2F API is being deprecated and that  authentication with the U2F protocol will continue to be supported with the WebAuthn API

The original way of implementing U2F with Chrome was through the U2F API. Since that time, the WebAuthn protocol has been adopted. These two protocols might not look related, but U2F is the precursor to WebAuthn. The WebAuthn spec was designed with backward compatibility in mind so that U2F will work with WebAuthn.

The U2F API depreciation means that services will need to migrate to the WebAuthn API to continue supporting phishing-resistant, multi-factor authentication (MFA) with the YubiKey on their services. Furthermore,  adopting the WebAuthn API will increase the number of places that a user can utilize their YubiKey as it is supported by other major browsers such as Safari and Edge.

In November 2021, with Chrome version 95, users on services that implemented the Chrome U2F API began seeing a warning that the service they are using is using the U2F API that is being deprecated by Chrome.


This could be a little alarming for your user community as it will be shown during the authentication process and instruct them to contact the service provider to make the changes.

When is the update happening?

The U2F API will be fully deprecated and removed with Chrome v. 98, which is scheduled for release this month (February 2022). At that time, the U2F API will stop working, however there are options for time extensions which we have listed below

If unaddressed, this change will cause different errors for the end user depending on how errors are being handled by the service and the end user will be prevented from authenticating to the service using their U2F devices. 

For more details, Google has outlined the Chrome versions and timeline here.  

How do I migrate?

As mentioned previously, the WebAuthn API is backward compatible with U2F credentials. To migrate, there are a few steps that service owners need to take to ensure their users can continue to use existing U2F credentials.

The key changes on client side are to change the U2F API register method to call the WebAuthn API navigator.credentials.create() method. The U2F API sign method will need to be updated to call the WebAuthn API navigator.credentials.get() method.

Changes to the backend service or replying party (RP) may be needed as well depending upon how U2F was implemented.

Please review the Yubico documentation regarding moving from U2F to WebAuthn for more details. This documentation is written for the Yubico open source WebAuthn server, so please keep in mind that your implementation may be different. 

What if I need more time?

If you need more time to migrate, there are a few ways of getting an extension for your service to continue using the U2F API until July 2022 through Google. Options are to enroll in the deprecation trial or be an enterprise that has turned on U2fSecurityKeyApiEnabled.

– 

To learn more about Google Chrome U2F decommission and what’s coming up next in the world of WebAuthn, be sure to sign-up for our upcoming webinar here

Talk to our teamTalk to our team

Share this article:


  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU
  • Securing critical infrastructure from modern cyber threats with phishing-resistant authenticationAcross the globe, 2024 has seen a whirlwind of change. With ongoing wars, recent political change-ups and more, growth in data breaches targeting critical infrastructure continue to be on the rise. Critical infrastructure is integral to our everyday life – from the energy and natural resources powering our hospitals and providing clean drinking water, telco […]Read moreCISAcritical infrastructurezero trust