U2F & Adaptive MFA: Are They the Same? | OneLogin (2024)

Many prominent websites and applications support U2F, including, but notlimited to: Facebook, Bitbucket, GitHub, Gmail, and YouTube.

When it comes to browsers, the following currently provide U2F support:

• Google Chrome, version 38 and above
• Mozilla Firefox, version 57 and above
• Opera, version 40 and above
• Safari, on OS version 13.5.1 and above

On iOS devices, U2F can be used via Safari, whereas on Android devices, theU2F support is offered by both Google Chrome and the default Android browser.

The portable U2F hardware can take the form of a USB, a Bluetooth-LE, or a Near-field communication device. These devices can be used to securely log in to any website on the internet that supports the U2F protocol. Here’s how a typical two-factor authentication with U2F works:

1. The user visits a website (www.example.com), also known as the origin, that supports U2F. They open an account on the website and register their U2F device with it.
2. The device creates a pair of keys: a public key and a private key. It securely stores the private key itself and asks the website to associate the public key with the user account. This unique key pair can only be used to login at www.example.com.
3. After the user enters their login credentials at www.example.com, the website generates a unique challenge, using the user’s public key. The challenge can only be solved using the private key stored within the U2F device.
4. Upon receiving the challenge, the U2F device signs it, using the private key for www.example.com, and sends it back to the website.
5. The website verifies the unique signature, and allows the user to log in.

Remember, this five-step process may appear complicated, but it all happens behind-the-scenes. As far as the end-user is concerned, they just have to insert the U2F device and press a button (or tap).

The same U2F device can be used to register at different sites on the internet. Think of a U2F device as your personal, virtual keychain. This allows you to seamlessly and securely log in to your favorite websites.

No authentication mechanism is categorically impervious to hacking. Withthat said, thus far, no breaches or vulnerabilities have been reported in theU2F protocol.

By design, it protects against phishing attacks. Even if a user is trickedinto thinking that a fake website is real, the authentication will failbecause of the public-private key mismatch.

U2F is also very good at detecting man-in-the-middle (MITM) attacks.Let’s suppose someone tries to intermediate the communication between awebsite and a user during the authentication process. As soon as theman-in-the-middle interferes, the U2F device will stop responding because itwill notice that the origin of the challenge is different from the registeredone.

Not all authentication requests are created equal. Adaptive multi-factorauthentication uses the context of a login attempt to determine inreal-time which authentication rules and policies to apply. AMFA uses variousfactors like consecutive login failures, level of requested access, IPaddress, location, device IDs, and time, etc. to tailor a user’s loginexperience.

Only use MFA when a user is determined to be of a high risk, for instance,using multiple incorrect login attempts, the request originating from a devicenot officially registered, or a login request for a server with sensitive dataafter office hours. By using adaptive multi-factor authentication, companiescan:

• create a much-needed balance between user experience and strongsecurity
• make it easy for trusted, low-risk people to log in
• make it incredibly hard for potential intruders

MFA protects against password-related breaches by adding another layer ofsecurity. However, making end-users enroll for multi-factor authentication cansometimes be hard. And it makes sense. Waiting for and then entering aone-time password (OTP) can be a nuisance for people, especially if they haveto do it multiple times a day. Users just want to browse their social mediafeed, read an article, or stream a TV show; they don’t see a point inadding a second authentication factor for these seemingly trivial activities.Sure, you can make MFA compulsory, but that will (often) come at the cost ofcustomer unhappiness.

Creating a fine balance between security and user experience is hard, butoh-so-important. This is where adaptive MFA can come in handy. With adaptiveMFA, if the primary factor authentication for a user doesn’t looksuspicious or high-risk, they often don’t have to provide a secondaryfactor. This enhancement of the traditional MFA approach makes life much moreconvenient for regular users. For example:

Scenario 1: Consider a scenario where a customer, sayAllan, logs in to a web portal. He is on the same laptop that he has beenusing ever since he registered on the website. His IP puts him in the samecity as always. He got the password right in the first attempt. These, alongwith other factors, are used to determine that it’s indeed Allan who istrying to log in, and thus, the system doesn’t ask him to provide asecond factor.

Scenario 2: Now, imagine a hacker, say Adam, getsAllan’s login credentials. When Adam tries to log in, the systemrealizes that the login request has come from a new device and from adifferent geographical location. It classifies this request as high-risk andprompts Adam to provide a second factor. Since Adam can’t comply, theaccess is declined.

Adaptive MFA is a win-win for both end-user and service provider. The service provider is able to implement a rigorous-but-customer-friendly security policy and the end-user doesn’t have to provide secondary factors most of the time. But what if we combined U2F and adaptive MFA to form an even more customer-centric and impregnable authentication solution?

On the rare occasion that a customer has to provide a second factor, all they have to do is tap or press a button on their U2F device. This is much more convenient than opening another app to retrieve a passcode or waiting for an OTP message to arrive. For the service provider, this is far securer as well since the device communicates directly with the browser and it’s virtually impossible to replicate the key signature.

Request Demo