Universal 2nd Factor (U2F): History, Evolution, Advantages | Okta (2024)

Adding Another Layer of Security

How can you protect your company when passwords just aren't enough? What secondary challenge can you offer that's almost (but not quite) immune to hacking?

Enter Universal 2nd Factor (U2F).

The U2F protocol allows you to send a cryptographic challenge to a device (typically a key fob) owned by the user. A password starts the process, but the digital key is required to gain access.

The FIDO U2F protocol was developed in 2014, and since then, the standards have been honed, refined, and updated. More users are growing accustomed to the idea of cryptographic keys. Some even demand this protection to keep their data safe and secure.

The History of U2F

Most consumers know at least something about two-factor authentication. As bloggers explain, each time you must use a bank card and a PIN, you've used two sets of data to get into something you need. Universal 2^nd Factor works in a similar manner, and it's something advocates have long pushed for.

In 2012, rumors of a Google project that used key fobs to replace standard keyword entries began appearing on industry blogs. Experts weren't sure how the tools would work, but excitement was building. Blogs with titles such as "The Plot to Kill the Password" kept interest alive.

In 2014, the standards were proposed in a partnership between:

• Google
• Yubico
• NXP Semiconductors

The open-source standards eventually came under the heading of the FIDO Alliance, which continues maintenance and administration today.

How Does U2F Work?

Think of Universal 2^nd Factor as a new security gateway people must pass through to get to protected resources. While those users still need passwords to kick off the process, they must also have a physical device with them to complete your authorization steps.

In simple terms, a U2F process looks like this:

• Password: The user heads to a website and enters a username and password recognized by that site.
• Challenge: With the appropriate username and password recognized, the system sends a challenge to a key that the user has plugged into a USB port. The communication is encrypted during transport.
• Response: The key lights up or otherwise acknowledges that the challenge has been received. The user presses a button to finalize the connection.

FIDO rules specify asymmetric cryptography. Sensitive data remains on the device at all times. Additionally, the USB works with the host via a human interface device (HID) protocol, so users don't need to download a driver or software to make things work.

Users are cautioned to keep a spare security key available at all times. If it's lost, it's very difficult for users to gain access to protected resources. Security is crucial in the U2F environment, rather than user convenience, so people simply must be careful with the keys once they're authorized.

Most keys aren't Bluetooth enabled, so they don't require batteries or maintenance. Plug them in properly, within a USB port, and they will keep working until destroyed. They can't be cloned, as the private information on the key can't be extracted.

To end users, keys represent strong security with little hassle. For some people, it's a perfect combination.

U2F Implementation Options

The Universal 2^nd Factor protocol is open, so any developer can use it. But a vendor's role is crucial.

Consumers typically buy keys from third parties, including YubiKey, Titan, and others, and companies must ensure that the keys purchased truly can communicate with their systems. Some companies instruct consumers to buy keys only from partners they've vetted and trusted. If you're in a sensitive market, such as banking, this might be a good option.

Customers claim that setting up a U2F key is intimidating, and it involves several steps, such as:

• Signing in. Users start the process by heading to a website of choice and adding their usernames and passwords.
• Token registration. Users highlight the fact that they've bought a key.
• Plugging in and registering. Users put the key into the computer, and they might be asked to use SMS verifications to get started.
• Repeating. The registration must be done for every website you want to authenticate using the U2F token.

The coding requirements for website developers are minimal. Teams must develop registration processes, so users can add this mode of authentication to their logins. Developers often report that this takes very little time and technical expertise.