What is Universal Second Factor (U2F) Authentication and How to Use It to Secure Your Accounts

U2F Universal Second Factor

You might have grown tired of listening to security experts continuously talk about two-factor authentication (2FA), and about how we should all turn it on. You might be wondering why they keep banging on about this all the time.

The answer is simple: humans are not very good with passwords. Even if you have decided to let a password management solution take care of your login credentials, you can be sure that someone working for a service provider you're using hasn't. That someone might have left your username and password exposed in a database, and all the bad guys need to do is find the said database and log in.

The goal of two-factor authentication is to solve this problem. A temporary code (known as Time-based One-time Password or TOTP) is generated by an app or sent via SMS which ensures that your login credentials alone won't be enough to let the crook in. And the only thing you need to do is (in most cases) take a peek at your phone and enter a few symbols. It's secure, but perhaps more importantly, it's not too complicated. But is it perfect?

The problem with traditional two-factor authentication

The online landscape is a dynamic place. For example, we knew for years that SMSes can be intercepted, but just a few days ago, we learned that there are other ways of compromising the information in them. Voxox, an American company that, among other things, processes automated text messages sent by companies, dumped millions of such messages and left them in an Internet-facing database that wasn't protected with a password.

It's unknown how long the database was exposed for, but the security experts that looked into it said that anyone who knew where to look would have been able to see the stream of SMSes in "near real-time". Some of the texts contained 2FA TOTPs for various online services.

Even if they don't have the TOTPs waiting for them in an unprotected database, the crooks have other means of getting their hands on them, with phishing being the most obvious option.

In other words, 2FA, especially in its most common variation, is not perfect. Do we have a solution?

U2F: the viable alternative

Universal Second Factor, better known as U2F, is an authentication standard that was first developed by Google and a company called Yubico. Right now, it's backed by a wider consortium of service providers called Fast Identity Online (or FIDO), and its goal is to make two-factor authentication not only more secure, but more convenient as well.

This time, there is no TOTP that you receive via SMS or see in a mobile app. U2F relies on a hardware device that you connect to your computer through the USB port and/or pair with your smartphone either through Bluetooth or NFC. Most of these devices are often referred to as keys, and they look like tiny USB thumb drives that you can attach to your keyring. Depending on the manufacturer, you might be required to press or tap a button on the device to activate it, but other than that, you are not required to do anything else to make it work.

Using a U2F device to complete the second factor in a two-factor authentication system is the definition of simplicity. The way it actually works, however, is a different story as the process is quite complicated.

The communication between the U2F device and the service provider's server is encrypted with public-key (or asymmetric) cryptographic algorithm which means that it relies on not one but two keys – a public and a private one. By design, the private key never leaves the U2F device meaning that hackers will be hard-pressed to replicate it.

U2F is effective at stopping virtually all known attacks on two-factor authentication. Phishing, session hijacking, and SMS interception attempts are rendered useless, and one of the best things about this standard is the fact that even if someone manages to find a lost U2F device, unless they know which accounts it's used for (as well as the passwords for those accounts), they can't do anything with it.

U2F really is one of the few authentication protocols that improve the user's security posture while also making the overall experience easier and more enjoyable. In fact, it's so good, that in early 2017, none other than Google told all its 85,000 employees that they must use U2F devices to protect their work accounts. Earlier this year, the search engine colossus announced that it had had no confirmed account takeovers of employees since introducing the hardware keys.

Surely, if it's good enough for Google, it should be good enough for you. Let's consider some of the downsides, though.

U2F is good, but it's not perfect

We doubt that very many of you can honestly put a hand on their heart and say that they've never lost a USB thumb drive in their lives. As we mentioned already, a U2F device is roughly the same size, and while losing it might not lead to the compromise of your accounts, it will make logging in more difficult.

Like all hardware devices, a U2F key can also be damaged or stolen which means that you'll have to replace it with another one. And that means having to fork out some extra cash just to be able to use your online accounts.

Yes, unfortunately, U2F devices aren't free. Most of them start at around $10 a pop, so they're not exactly expensive, but for some users, even that's too much. This has stifled adoption to some extent, but other factors are at play as well.

The standard has been around for more than a decade now, but it's still not as widely supported as you would expect. In 2014, Google Chrome became the first browser to support U2F, and although its competitors are catching up, they don't seem to be in too much of a hurry. If you use Firefox, for example, you need to enable U2F support from deep within the settings, and as for Safari, it doesn't work with the hardware keys at all. It's not just browsers, either. Although every single developer can take the standard and implement it without paying a penny, the number of online services that offer U2F as a two-factor authentication option is still limited.

All in all, as good as it is, U2F is still not an essential part of our online lives. Whether this will change and how quickly it will change is for time to tell.

November 21, 2018

Leave a Reply