Universal 2nd Factor (U2F): History, Evolution, Advantages

U2F (Universal 2nd Factor) is an authentication standard that uses one key for multiple services. It simplifies and elevates the security provided by 2FA (two-factor authentication).

U2F

Adding Another Layer of Security

How can you protect your company when passwords just aren't enough? What secondary challenge can you offer that's almost (but not quite) immune to hacking?

Enter Universal 2nd Factor (U2F).

The U2F protocol allows you to send a cryptographic challenge to a device (typically a key fob) owned by the user. A password starts the process, but the digital key is required to gain access.

The FIDO U2F protocol was developed in 2014, and since then, the standards have been honed, refined, and updated. More users are growing accustomed to the idea of cryptographic keys. Some even demand this protection to keep their data safe and secure.

The History of U2F

Most consumers know at least something about two-factor authentication. As bloggers explain, each time you must use a bank card and a PIN, you've used two sets of data to get into something you need. Universal 2nd Factor works in a similar manner, and it's something advocates have long pushed for.

In 2012, rumors of a Google project that used key fobs to replace standard keyword entries began appearing on industry blogs. Experts weren't sure how the tools would work, but excitement was building. Blogs with titles such as "The Plot to Kill the Password" kept interest alive.

In 2014, the standards were proposed in a partnership between:

  • Google 
  • Yubico
  • NXP Semiconductors

The open-source standards eventually came under the heading of the FIDO Alliance, which continues maintenance and administration today.

How Does U2F Work?

Think of Universal 2nd Factor as a new security gateway people must pass through to get to protected resources. While those users still need passwords to kick off the process, they must also have a physical device with them to complete your authorisation steps.

In simple terms, a U2F process looks like this:

  • Password: The user heads to a website and enters a username and password recognised by that site.
  • Challenge: With the appropriate username and password recognised, the system sends a challenge to a key that the user has plugged into a USB port. The communication is encrypted during transport.
  • Response: The key lights up or otherwise acknowledges that the challenge has been received. The user presses a button to finalise the connection.

FIDO rules specify asymmetric cryptography. Sensitive data remains on the device at all times. Additionally, the USB works with the host via a human interface device (HID) protocol, so users don't need to down