More and more we read about e-mail accounts being hacked or our precious passwords being available online. This can have drastic consequences — from sensitive data being taken to money being stolen through it. Fortunately, there is an easy way to increase their security: We’d like to introduce you to Universal Second Factor (U2F) authentication — a form of two-factor authentication.
Defining U2F
Universal Second Factor authentication — or U2F in short — refers to a completely separate device that holds a secret, extra key vital to logging into your digital account. Rather than needing to enter a certain code, a user would just need to plug a device. The technology was initially created by Google and Yubico and relies on USBs paired with near-field communication (NFC) chips typically embedded in smart cards.
The critical information used for logging in is kept secure on the device, thus 2FA is bolstered by a storage backup of the user identity, and the physical device is required to access U2F-enabled interfaces. The standard is now compatible with many popular web browsers, such as Google Chrome.
Issues of current 2FA methods
Two-factor authentication (2FA) is an added layer of security to accounts where sensitive data or crypto assets are held. Along with your usual login ID and password, 2FA asks users to enter another specific set of information that only the user could know. Most common versions of 2FA take place through a mobile phone, either through getting a code through SMS or e-mail or by using an application giving you a 2FA code such as Google Authenticator or Authy.
SIM Swapping is a common form of social engineering explicitly designed to circumvent user 2FA using SMS verification. Once this remote attack is successful, this leaves any sensitive information in your account within the attacker’s grasp. While an improvement from 2FA by SMS, the Google Authenticator app comes with some shortcomings of its own. For example, slow rollouts of updates, a lack of passcode protection, and no database backup make the app vulnerable to more sophisticated attacks.
How does U2F work?
Think of Universal 2nd Factor as a new security gateway people must pass through to get to protected resources. While those users still need passwords to kick off the process, they must also have a physical device with them to complete your authorization steps.
In simple terms, a U2F process looks like this:
- Password: The user heads to a website and enters a username and password recognized by that site.
- Challenge: With the appropriate username and password recognized, the system sends a challenge to a key that the user has plugged into a USB port. The communication is encrypted during transport.
- Response: The key lights up or otherwise acknowledges that the challenge has been received. The user presses a button to finalize the connection.
Rules specify asymmetric cryptography. Sensitive data remains on the device at all times. Additionally, the USB works with the host via a human interface device (HID) protocol, so users don’t need to download a driver or software to make things work.
Users are cautioned to keep a spare security key available at all times. If it’s lost, it’s very difficult for users to gain access to protected resources. Security is crucial in the U2F environment, rather than user convenience, so people simply must be careful with the keys once they’re authorized.
Most keys aren’t Bluetooth enabled, so they don’t require batteries or maintenance. Plug them in properly, within a USB port, and they will keep working until destroyed. They can’t be cloned, as the private information on the key can’t be extracted.
To end users, keys represent strong security with little hassle. For some people, it’s a perfect combination.
Implementing U2F
The Universal 2nd Factor protocol is open, so any developer can use it. But a vendor’s role is crucial.
Consumers typically buy keys from third parties, including YubiKey, Titan, and others, and companies must ensure that the keys purchased truly can communicate with their systems. Some companies instruct consumers to buy keys only from partners they’ve vetted and trusted. If you’re in a sensitive market, such as banking, this might be a good option.
Customers claim that setting up a U2F key is intimidating, and it involves several steps, such as:
- Signing in. Users start the process by heading to a website of choice and adding their usernames and passwords.
- Token registration. Users highlight the fact that they’ve bought a key.
- Plugging in and registering. Users put the key into the computer, and they might be asked to use SMS verifications to get started.
- Repeating. The registration must be done for every website you want to authenticate using the U2F token.
The coding requirements for website developers are minimal. Teams must develop registration processes, so users can add this mode of authentication to their logins. Developers often report that this takes very little time and technical expertise.
Final Thoughts
The goal of U2F is to provide strong authentication and privacy for the web.
The U2F eco-system is designed to provide strong authentication for users on the web while preserving the user’s privacy.
The user carries a ‘U2F device’ as a second factor that logs them into their online accounts. This way, these accounts can be kept secure, also from phishing attacks.
U2F hardware keys are a great achievement as these make sure that people and their online accounts are kept secure on the web.
