Every year there are a handful of websites that get hacked. In some instances, the passwords weren’t protected properly to begin with. This results in millions of usernames, email addresses, and passwords being leaked to the public, which can be devastating if you’re the type that uses one password across all websites. There are additional layers of protection for some websites, such as two-factor authentication, but this can sometimes delay the login process causing many people to ignore it. However, there is U2F (universal two-factor authentication), which typically requires you to know your password and also have a hardware token plugged into the device you’re using.
Keith Myers was doing some digging and learned that Google is hiding a fully functional U2F token in the Pixelbook. This means the token is built into the Chromebook and it doesn’t require you to go out and purchase one of those YubiKey thumb drives. Mr. Myers says he’s only been able to confirm this on the Pixelbook, but other OEMs could have done the same for their product. He says he checked the ASUS Chromebook Flip, HP Chromebook X2, and Samsung Chromebook Plus, but it was only the Pixelbook that had this U2F token built-in.
As mentioned, this feature is currently hidden and requires some tinkering to get set up. Your Chrome OS version on the Pixelbook needs to be 68.0.3440.15 or higher, so you’ll need to switch over to the developer channel (stable Chrome OS is on version 67). Once you are ready, go ahead and bring up a Chrome Shell (with Ctrl + Alt + T) and type the following command:
u2f_flags g2f
Once that command has been executed it triggers the OS to activate the virtual U2F token and sets it to the power button of the Google Pixelbook. With that done, you can set up U2F authentication on various websites just like you would with the YubiKey. You’ll just need to press the Pixelbook power button when you want to log in somewhere. There are a limited number of websites that allow for U2F authentication, but GMail and DropBox are two popular services that you can try out right now.
Source: Keith Myers