Universal 2nd Factor (U2F): History, Evolution, Advantages

U2F (Universal 2nd Factor) is an authentication standard that uses one key for multiple services. It simplifies and elevates the security provided by 2FA (two-factor authentication).


Adding Another Layer of Security

How can you protect your company when passwords just aren't enough? What secondary challenge can you offer that's almost (but not quite) immune to hacking?

Enter Universal 2nd Factor (U2F).

The U2F protocol allows you to send a cryptographic challenge to a device (typically a key fob) owned by the user. A password starts the process, but the digital key is required to gain access.

The FIDO U2F protocol was developed in 2014, and since then, the standards have been honed, refined, and updated. More users are growing accustomed to the idea of cryptographic keys. Some even demand this protection to keep their data safe and secure.

The History of U2F

Most consumers know at least something about two-factor authentication. As bloggers explain, each time you must use a bank card and a PIN, you've used two sets of data to get into something you need. Universal 2nd Factor works in a similar manner, and it's something advocates have long pushed for.

In 2012, rumours of a Google project that used key fobs to replace standard keyword entries began appearing on industry blogs. Experts weren't sure how the tools would work, but excitement was building. Blogs with titles such as "The Plot to Kill the Password" kept interest alive.

In 2014, the standards were proposed in a partnership between:

  • Google 
  • Yubico
  • NXP Semiconductors

The open-source standards eventually came under the heading of the FIDO Alliance, which continues maintenance and administration today.

How Does U2F Work?

Think of Universal 2nd Factor as a new security gateway people must pass through to get to protected resources. While those users still need passwords to kick off the process, they must also have a physical device with them to complete your authorisation steps.

In simple terms, a U2F process looks like this:

  • Password: The user heads to a website and enters a username and password recognised by that site.
  • Challenge: With the appropriate username and password recognised, the system sends a challenge to a key that the user has plugged into a USB port. The communication is encrypted during transport.
  • Response: The key lights up or otherwise acknowledges that the challenge has been received. The user presses a button to finalise the connection.

FIDO rules specify asymmetric cryptography. Sensitive data remains on the device at all times. Additionally, the USB works with the host via a human interface device (HID) protocol, so users don't need to download a driver or software to make things work.

Users are cautioned to keep a spare security key available at all times. If it's lost, it's very difficult for users to gain access to protected resources. Security is crucial in the U2F environment, rather than user convenience, so people simply must be careful with the keys once they're authorised.

Most keys aren't Bluetooth enabled, so they don't require batteries or maintenance. Plug them in properly, within a USB port, and they will keep working until destroyed. They can't be cloned, as the private information on the key can't be extracted.

To end users, keys represent strong security with little hassle. For some people, it's a perfect combination.

U2F Implementation Options

The Universal 2nd Factor protocol is open, so any developer can use it. But a vendor's role is crucial.

Consumers typically buy keys from third parties, including YubiKey, Titan, and others, and companies must ensure that the keys purchased truly can communicate with their systems. Some companies instruct consumers to buy keys only from partners they've vetted and trusted. If you're in a sensitive market, such as banking, this might be a good option.

Customers claim that setting up a U2F key is intimidating, and it involves several steps, such as:

  • Signing in. Users start the process by heading to a website of choice and adding their usernames and passwords.
  • Token registration. Users highlight the fact that they've bought a key.
  • Plugging in and registering. Users put the key into the computer, and they might be asked to use SMS verifications to get started.
  • Repeating. The registration must be done for every website you want to authenticate using the U2F token.

The coding requirements for website developers are minimal. Teams must develop registration processes, so users can add this mode of authentication to their logins. Developers often report that this takes very little time and technical expertise.

U2F: Frequently Asked Questions

U2F는 간단한 비밀번호와 어떻게 다른가요?

비밀번호 인증 프로세스는 숫자와 문자로 구성된 문자열과 같이 사용자가 알고 있는 것을 활용합니다. Universal 2​​nd​​ Factor 프로세스는 키 포브나 칩처럼 사용자가 소유하고 있는 대상을 토대로 인증 세부 정보를 추가로 요구합니다. 또한 스푸핑이나 하이재킹이 불가능한 암호화된 토큰을 생성합니다. 따라서 아이덴티티를 더욱 안전하게 확인할 수 있는 방법입니다.

U2F느 어디에서 사용되나요?

Chrome, Firefox, Safari, Edge, Opera에서 Universal 2​​nd​​ Factor 프로토콜을 지원합니다. 일부 Microsoft 제품에서 U2F 인증을 지원하며, Facebook과 기타 소셜 미디어 사이트에서도 마찬가지입니다.

U2F는 실제로 유효한가요?

그렇습니다. 2018년에 Google은 U2F 인증을 도입한 이후 피싱 피해를 입은 ​​직원 계정이 하나도 없었다​​고 밝혔습니다. Google 직원 수가 85,000명이 넘기 때문에 정말 엄청난 효과입니다.

기술 사양은 어디에서 볼 수 있나요?

FIDO Alliance는 모든 ​기술 사양​​을 모든 사용자에게 무료로 공개하고 있습니다.

Get Started With U2F

We've partnered with Yubico to bring U2F to all of our clients. We know simple passwords aren't enough, and we want to be part of the solution.

Click to discover how Okta’s universal 2nd factor solutions can better protect your users.


Beyond Passwords: 2FA, U2F, and Google Advanced Protection. (November 2018). Troy Hunt.

The Plot to Kill the Password. (April 2014). The Verge.

Google Accounts Now Support Security Keys. (October 2014). Krebs on Security.

10 Things You've Been Wondering About FIDO2, WebAuthn, and a Passwordless World. (August 2018). Yubico.

U2F: Next Generation 2-Factor Authentication. (April 2017). Tripwire.

U2F Specifications. The FIDO Alliance.

Fido U2F Security Key. Amazon.

What the Heck Is U2F? (June 2017). Hacker Noon.

Quick and Dirty Developer Guide to U2F. (December 2017). Medium.

Google: Security Keys Neutralised Employee Phishing. (July 2018). Krebs on Security.

Specifications Overview. The FIDO Alliance.