Universal 2nd Factor (U2F): History, Evolution, Advantages

U2F (Universal 2nd Factor) is an authentication standard that uses one key for multiple services. It simplifies and elevates the security provided by 2FA (two-factor authentication).

Adding Another Layer of Security

How can you protect your company when passwords just aren't enough? What secondary challenge can you offer that's almost (but not quite) immune to hacking?

Enter Universal 2nd Factor (U2F).

The U2F protocol allows you to send a cryptographic challenge to a device (typically a key fob) owned by the user. A password starts the process, but the digital key is required to gain access.

The FIDO U2F protocol was developed in 2014, and since then, the standards have been honed, refined, and updated. More users are growing accustomed to the idea of cryptographic keys. Some even demand this protection to keep their data safe and secure.

The History of U2F

Most consumers know at least something about two-factor authentication. As bloggers explain, each time you must use a bank card and a PIN, you've used two sets of data to get into something you need. Universal 2nd Factor works in a similar manner, and it's something advocates have long pushed for.

In 2012, rumors of a Google project that used key fobs to replace standard keyword entries began appearing on industry blogs. Experts weren't sure how the tools would work, but excitement was building. Blogs with titles such as "The Plot to Kill the Password" kept interest alive.

In 2014, the standards were proposed in a partnership between:

  • Google 
  • Yubico
  • NXP Semiconductors

The open-source standards eventually came under the heading of the FIDO Alliance, which continues maintenance and administration today.

How Does U2F Work?

Think of Universal 2nd Factor as a new security gateway people must pass through to get to protected resources. While those users still need passwords to kick off the process, they must also have a physical device with them to complete your authorization steps.

In simple terms, a U2F process looks like this:

  • Password: The user heads to a website and enters a username and password recognized by that site.
  • Challenge: With the appropriate username and password recognized, the system sends a challenge to a key that the user has plugged into a USB port. The communication is encrypted during transport.
  • Response: The key lights up or otherwise acknowledges that the challenge has been received. The user presses a button to finalize the connection.

FIDO rules specify asymmetric cryptography. Sensitive data remains on the device at all times. Additionally, the USB works with the host via a human interface device (HID) protocol, so users don't need to download a driver or software to make things work.

Users are cautioned to keep a spare security key available at all times. If it's lost, it's very difficult for users to gain access to protected resources. Security is crucial in the U2F environment, rather than user convenience, so people simply must be careful with the keys once they're authorized.

Most keys aren't Bluetooth enabled, so they don't require batteries or maintenance. Plug them in properly, within a USB port, and they will keep working until destroyed. They can't be cloned, as the private information on the key can't be extracted.

To end users, keys represent strong security with little hassle. For some people, it's a perfect combination.

U2F Implementation Options

The Universal 2nd Factor protocol is open, so any developer can use it. But a vendor's role is crucial.

Consumers typically buy keys from third parties, including YubiKey, Titan, and others, and companies must ensure that the keys purchased truly can communicate with their systems. Some companies instruct consumers to buy keys only from partners they've vetted and trusted. If you're in a sensitive market, such as banking, this might be a good option.

Customers claim that setting up a U2F key is intimidating, and it involves several steps, such as:

  • Signing in. Users start the process by heading to a website of choice and adding their usernames and passwords.
  • Token registration. Users highlight the fact that they've bought a key.
  • Plugging in and registering. Users put the key into the computer, and they might be asked to use SMS verifications to get started.
  • Repeating. The registration must be done for every website you want to authenticate using the U2F token.

The coding requirements for website developers are minimal. Teams must develop registration processes, so users can add this mode of authentication to their logins. Developers often report that this takes very little time and technical expertise.

Frequently Asked Questions

  1. How is U2F different from simple passwords? A password verification process relies on something a person knows, like a string of numbers and letters. A Universal 2nd Factor process adds on a verification detail based on what someone has, like a key fob or a chip. It creates an encrypted token that cannot be spoofed or hijacked. It's a more robust way of confirming identity.
  2. Where is U2F used? Chrome, Firefox, Safari, Edge, and Opera support Universal 2nd Factor protocols. Some Microsoft products also allow for U2F verification, and Facebook and a few other social media sites do too.
  3. Does this really work? Yes. In 2018, Google said no employee accounts were successful phishing victims after the company enabled U2F verifications. Google has more than 85,000 employees, so this is no small feat.
  4. Where can I read the specifications? The FIDO Alliance makes all the technical specifications available to everyone without charge.

Get Started With U2F

We've partnered with Yubico to bring U2F to all of our clients. We know simple passwords aren't enough, and we want to be part of the solution.

Click to discover how Okta’s universal 2nd factor solutions can better protect your users.

References

Beyond Passwords: 2FA, U2F, and Google Advanced Protection. (November 2018). Troy Hunt.

The Plot to Kill the Password. (April 2014). The Verge.

Google Accounts Now Support Security Keys. (October 2014). Krebs on Security.

10 Things You've Been Wondering About FIDO2, WebAuthn, and a Passwordless World. (August 2018). Yubico.

U2F: Next Generation 2-Factor Authentication. (April 2017). Tripwire.

U2F Specifications. The FIDO Alliance.

Fido U2F Security Key. Amazon.

What the Heck Is U2F? (June 2017). Hacker Noon.

Quick and Dirty Developer Guide to U2F. (December 2017). Medium.

Google: Security Keys Neutralized Employee Phishing. (July 2018). Krebs on Security.

Specifications Overview. The FIDO Alliance.