As security experts we recommend that you protect your accounts with U2F two-factor authentication. You use a key to lockyour front door or your car. Similarly you must use a key to lock your online accounts as these are just as valuable and need just as much protection.To secure your digital accounts with a U2Fhardware key is the most secure option to protect your login credentials! In this post we explain why U2F is important and how it works.
FIDO U2F explained
tl;dr: U2F is important as it is the most secure option to protect your accounts. Activate it wherever possible.
In fact, U2F is so important that every email service should support it.
The reason is simple: Your email accountis the gate to your online identity. Services like Amazon, Twitter, PayPal and othersare linked to your email account, and passwords to these services can be easily reset if a malicious attacker hasgained access to your mailbox.
That’s what FIDO U2F protects you from. If activated on your email account, for instance at Tutanota, it will be closeto impossible for malicious attackers to take over your mailbox.
What is FIDO U2F (Universal 2nd Factor)? - Definition
U2F is an open authentication standard that uses one key for multiple services. It simplifies and elevatesthe security provided by 2FA (two-factor authentication) as no drivers or client software is needed.
Universal second factor authentication refers to a separate device that holds a secret,extra key required to log into your digital account(s). Instead of entering a certain code (OTP), you just need to plug a deviceas second factor.
U2F vs 2FA
U2F is not the same as 2FA: 2FA is two-factor authentication that includes all methods for the second factor (SMS, TOTP, U2F and more).U2F is just one option on how to set up two-factor authentication - though the most secure one!
What are the advantages of U2F?
- Fast Authentication: Decrease time to authenticate
- Strong Security: No account takeovers when deployed fully
- Multiple Choices: Access to nearly 1,000 apps and services
What are the disadvantages?
There is one significant disadvantage of U2F solutions in comparison to TOTP (which uses a shared secret): For U2F thereis no option to back up recovery codes of shared secrets.
If a hardware key is lost, it will become impossible to login to the services and apps that were originally secured with thishardware key. Thus, most services offer a way to reset the login credentials to regain access.
For instance, Tutanota offers a recovery code that must be entered along with the correct password to reset (in this case: remove)a lost U2F hardware key. Additionally, it is possible in Tutanota to register multiple hardware keys. If one gets lost,users can still login with one of the other registered U2F keys.
Why is U2F important?
U2F security
U2F – second-factor authentication with a hardware security key – is the most secure way to protect your online accounts frommalicious attacks.
It is also more secure than second-factor authenticationvia OTP or TOTP, that’s why we at Tutanota highly recommend to activate a hardware key to protect your encrypted mailbox.
How does U2F protect against phishing?
U2F hardens your login credentials, which makes sure no one can take over your accounts - not even after a successfulphishing attack.
Phishing emails are becoming more and more sophisticated which increases the risk of falling for such attacks. Thesender of the phishing email usually tries to make you click a link where you are supposed to enter your password.Should this happen, the attacker can then easily steal your password and take over your account.
However, if a secondfactor like U2F has been activated on your account, the password will be useless to the attacker and your account will be safe.
On top of that, a U2F-enabled user login is bound to the origin; this means that only the real site can authenticatewith the key (second factor). The authentication will fail on any fake phishing site even if the user was fooled intothinking it was real.
Why should you activate a second factor?
- U2F increases the protection of your accounts (such as email, drive, social media accounts).
- U2F is the most secure version of two-factor authentication.
- A U2F device creates a cryptographic key to unlock your account.
- Phishing attacks become close to impossible with U2F.
How does U2F work?
For the user, U2F is really simple. You can activate the same U2F hardware key on all your accounts, such as Tutanota,Amazon, or Twitter. When you login, you enter your user name and password, and then you simply need to stick the USB-likehardware key into your device and tap it to finish the authentication process.
On a technical side, the process is much more complex. The Fido Allianceexplains the process like this:
“The U2F device and protocol need to guarantee user privacy and security. At the core of the protocol, the U2F device has acapability (ideally, embodied in a secure element) which mints an origin-specific public/private key pair. The U2F devicegives the public key and a Key Handle to the origin online service or website during the user registration step.”
“Later, when the user performs an authentication, the origin online service or website sends the Key Handle back tothe U2F device via the browser. The U2F device uses the Key Handle to identify the user’s private key, and creates asignature which is sent back to the origin to verify the presence of the U2F device. Thus, the Key Handle is simply anidentifier of a particular key on the U2F device.”
“The key pair created by the U2F device during registration is origin specific. During registration, the browser sendsthe U2F device a hash of the origin (combination of protocol, hostname and port). The U2F device returns a public keyand a Key Handle. Very importantly, the U2F device encodes the requesting origin into the Key Handle.”
“Later, when the user attempts to authenticate, the server sends the user’s Key Handle back to the browser. The browsersends this Key Handle and the hash of the origin which is requesting the authentication. The U2F device ensures that ithad issued this Key Handle to that particular origin hash before performing any signing operation. If there is a mismatchno signature is returned. This origin check ensures that the public keys and Key Handles issued by a U2F device to a particular online service orwebsite cannot be exercised by a different online service or website (i.e., a site with a different name on a valid SSLcertificate). This is a critical privacy property — assuming the browser is working as it should, a site can verifyidentity strongly with a user’s U2F device only with a key which has been issued to that particular site by thatparticular U2F device. If this origin check was not present, a public key and Key Handle issued by a U2F device couldbe used as a ‘supercookie’ which allows multiple colluding sites to strongly verify and correlate a particular user’s identity.”
”The user is able to use the same device across multiple sites on the web — it thus serves as the user’s physicalweb keychain with multiple (virtual) keys to various sites provisioned from one physical device. Using the open U2Fstandard, any origin will be able to use any browser (or OS) which has U2F support to talk to any U2F compliant devicepresented by the user to enable strong authentication.“
History
Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) usingspecialized Universal Serial Bus (USB) or near-field communication (NFC) devices. It is succeeded by theFIDO2 Project, which includes the W3C Web Authentication (WebAuthn)standard and the FIDO Alliance’s Client to Authenticator Protocol 2 (CTAP2).
While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hostedby the FIDO Alliance alone.
You will find a list of all services that are supporting U2F keys here.
Goal: Strong Authentication and Privacy for the web
The U2F eco-system is designed to provide strong authentication for users on the web while preserving the user’s privacy.
The user carries a ‘U2F device’ as a second factor that logs them into their online accounts. This way, these accounts canbe kept secure, also from phishing attacks.
U2F hardware keys are a great achievement as these make sure that people and their online accounts are kept secure on the web.
Comparison of different options for two-factor authentication (2FA)
Security device: U2F
- Most secure option
- Private key is stored locally on U2F device
- Guarantees protection against man-in-the-middle attacks (MITM) and phishing
- Requires a hardware device
- No manual entry required
Authenticator app: TOTP
- An app generates codes that are only valid for a short period of time (Google Authenticator, Authy, etc.)
- Manual entry required upon every login
- Requires no hardware device
- Does not protect the mobile device login because app on mobile device generates second factor
Authenticator app: HOTP
- An app generates codes that are valid forever (Google Authenticator, Authy, etc.)
- Codes need to be stored securely
- Manual entry required upon every login
- Requires no hardware device
- Does not protect the mobile device login because app on mobile device generates second factor
SMS code
- Sode is sent via SMS
- Manual entry required upon every login
- Least secure as SMS can be easily intercepted
- Requires no hardware device
- Does not protect the mobile device login because SMS on mobile device contains second factor
