U2F: Universal 2nd Factor Authentication

What a Hardware Security Key is

A U2F key generates one-time authentication codes, uniquely encrypts them so that only the legitimate site being logged into can read the code, and of course sends it. The user places the key into a USB port and when a code is required, lightly presses the gold circle.

Why it is important

Hackers are aware that many high risk targets are frequently using various forms of two factor authentication to secure their accounts. For targets worth individualized attention, hackers will attempt to defeat two factor authentication systems by tricking the target into providing them with the code. The new U2F security key standard defeats this new form of attack by making a code that only the legitimate site can use. A hacker, with a fake site, will find the code sent to it to be useless for logging into the legitimate site and because the user never sees the code, they cannot read it to a “tech support” person. In other words, the key removes the greatest weakness in any security system -- user error.

U2F Setup

A security key can be the easiest form of two factor authentication because the user may only have to tap the key once. There is no looking for SMS message, copying it, pasting it in or opening an authentication application. Even the newer smartphone prompt that ask the user if he or she is logging in and then the user presses “yes” or “no” requires the user to access the phone and unlock it. While much easier than other ways, the main difficulty with a security key is that one needs to keep it at hand when logging in.

The first decision one has to make is whether to be security-key only or to allow other forms of two factor authentication to be used too. Allowing other forms of two factor to be used in conjunction with security keys has the advantage of making it easier to authenticate on devices that either don’t have USB ports, such as phones, or where the USB ports are inaccessible. If one is often on the road and using multiple devices, having another form of two factor authentication is probably a wise idea. If one is using a few devices at home and at work, then using a security key as the only allowed method is workable.

A security key can be used for as many accounts as desired. And, multiple keys may be associated with the same account.

If one is using a key-only account, having a second key is highly desirable, in case the first is lost. These keys are quite rugged. They can survive washing machines, being stepped on and otherwise abused. The real concerns is forgetting to bring it or not being able to use it on a computer with inaccessible USB ports.

Once the decision of how the key will be used has been made, the setting up process is approximately the same as with any other two factor method. Turn on two factor authentication within the application, such as Gmail or Facebook, if it’s not on already, then add a device, press the circular button on the key when asked, and then press the circle on the key at the next login.

Single Factor Protection

Passwords are considered so weak that some vendors are offering passwordless logins for users with U2F keys. Hackers using malware to capture the user’s password or to flood the system with password guesses, will not be able break in. As long as the owner keeps the key safe, the account should be safe from breaches of authentication. Windows 10 has recently supported the use of a key-only login. It is likely that other services will follow suit. However, a good password protects your accounts if your key is ever stolen. Two-factor is more secure. Whether using a device as the only form of protection will be enough is a personal decision. A middle ground is to use a security key that has a fingerprint reader built in. This not a true two factor solution but it does mean that another person would not be able to use the key.

Costs

Security keys have to be purchased. Keys with Bluetooth and NFC can range from $40 to $60, but the simplest U2F keys can be found for $9.

Cautions

Losing a key is obviously a risk if the attacker can discover the user’s password. Lost keys can be deactivated.

Most two factor systems allow the user to declare the device being used as a trusted device. Doing so means the user may not have to use a second factor on that device for 30 days. The key element is trust. A device, such as a laptop, should not be trusted given that it could be stolen. One of the advantages of a security key is that it’s so easy to use that a user may not feel a need to trust any device. Pressing the key at every login is quite simple and if there is any chance the computer would be stolen or that someone could access it, then not trusting the computer does not carry a significant burden.