Should You Choose U2F or Adaptive MFA?

Providing your users with the freedom to log in to your organization’s systems from anywhere is almost a mandatory requirement in today’s modern workplace. Remote access is a business enabler — it drives efficiency by improving collaboration and productivity in your organization — but unfortunately providing this necessary access can also expose your systems and increases the risk of compromise. Universal 2nd Factor authentication (U2F) can provide you with an additional layer of security, but is it an effective and practical solution to this problem?

Traditional authentication is under attack

For many organizations, the only thing protecting them from a full system compromise are usernames and passwords. Authentication systems are constantly being probed for weaknesses by a variety of threat actors, ranging from the lone curious hacker to a nation state. Phishing campaigns, credential stuffing, and a host of other sophisticated password cracking techniques target your users’ credentials looking to leverage weak passwords and weak password management. 

MFA is the best defence

Multi-factor authentication (MFA) is the best defense against automated password attacks and phishing campaigns. It adds an additional layer of access security during the authentication process. This reduces your organization’s risk of a system breach by requiring users to submit an authentication factor, such as a one-time password (OTP) or physical device over and above their required password.

There are a range of MFA solutions that can help secure your authentication systems. These range from low assurance solutions such as a simple security question to U2F keys, which rank much higher on the assurance scale. 

What is Universal 2nd Factor (U2F)?

Universal 2nd Factor (U2F) is an open authentication standard that was initially developed by Google and Yubico. The standard, which is now hosted by the FIDO Alliance, is used in U2F security keys — physical security devices you plug into a USB port after submitting your username and password. They provide an effective second authentication factor as without the physical device being plugged in, authentication fails and access is denied.

U2F devices rank high on the authentication assurance scale. The use of an asymmetric encryption algorithm ensures this authentication token can never be compromised — the private key never leaves the device. 

While there’s no question that U2F keys offer an effective layer of protection against password attacks, they do have their drawbacks. The main challenge is the requirement of  carrying around another piece of hardware. They can fail, or be misplaced or stolen, which impacts system usability, and in some instances, compromises security. In addition, U2F keys need USB ports. This USB prerequisite renders U2F an untenable solution for mobile devices as most, if not all, have no USB ports.

Adding context to the authentication flow

Adaptive multi-factor authentication (AMFA) improves the security of your systems by taking the context of an authentication request into account. Leveraging multiple factors at the time an access request is made, it provides an additional layer of protection that dynamically adapts security and authentication policies based on user and device context.

Okta’s Adaptive MFA receives contextual information such as the device, location, IP address, and client type at the time of an authentication request. Taking this input into account, it compares this data to predefined policies set in your Okta Policy Framework and either grants access, denies access, or prompts the user to submit an additional form of identity verification. 

U2F/Universal 2nd Factor or AMFA?

U2F and AMFA are both effective solutions that mitigate the risks posed by password-based authentication solutions. However, if we look at the practicality of implementing each solution, AMFA is the better option as it is not hardware reliant. 

U2F requires you to purchase a physical device for every user in your organization, configure these, and then distribute them. Not only is this a costly exercise, it takes time and effort and constant management post-implementation phase. AMFA on the other hand is a cloud-based solution, which enables greater operational flexibility. It is also easier to implement, simpler to manage, and is ultimately more cost effective.

Try Okta Free

For 30 days, try our Multi-factor Authentication solution to defend against automated password attacks and phishing campaigns.