Breaking news
Read our blog to learn why privacy matters. And don't forget to get an encrypted mailbox yourself!

Why U2F is important: How it works and why you need it.

FIDO U2F is important to secure your authentication process. It protects your account from malicious take-over, including phishing.

2022-06-17
Why U2F is important: Protect all your online accounts.
As security experts we recommend that you protect your accounts with U2F two-factor authentication. You use a key to lock your front door or your car, and your online accounts are just as valuable and need just as much protection. Secure your digital accounts with a U2F hardware key as this is the most secure option to protect your accounts! In this post we explain why U2F is important and how it works.

FIDO U2F explained

tl;dr: U2F is important as it is the most secure option to protect your accounts. Activate it wherever possible.

In fact, U2F is so important that every email service should support it.

The reason is simple: Your email account is the gate to your online identity. Services like Amazon, Twitter, PayPal and others are linked to your email account, and passwords to these services can be easily reset if a malicious attacker has gained access to your mailbox.

That's what FIDO U2F protects you from. If activated on your email account, for instance at Tutanota, it will be close to impossible for malicious attackers to take over your mailbox.

What is FIDO U2F?

U2F (Universal 2nd Factor) is an authentication standard that uses one key for multiple services. It simplifies and elevates the security provided by 2FA (two-factor authentication) as no drivers or client software is needed.

Universal second factor authentication refers to a separate device that holds a secret, extra key required to log into your digital account(s). Instead of entering a certain code (OTP), you just need to plug a device as second factor.

What are the advantages of U2F?

  1. Fast Authentication: Decrease time to authenticate
  2. Strong Security: No account takeovers when deployed fully
  3. Multiple Choices: Access to nearly 1,000 apps and services

What are the disadvantages?

There is one significant disadvantage of U2F solutions in comparison to TOTP (which uses a shared secret): For U2F there is no option to back up recovery codes of shared secrets.

If a hardware key is lost, it will become impossible to login to the services and apps that were originally secured with this hardware key. Thus, most services offer a way to reset the login credentials to regain access.

For instance, Tutanota offers a recovery code that must be entered along with the correct password to reset (in this case: remove) a lost U2F hardware key. Additionally, it is possible in Tutanota to register multiple hardware keys. If one gets lost, users can still login with one of the other registered U2F keys.

Why is U2F important?

Tutanota supports two-factor authentication with FIDO U2F as this is the 
most secure option tp protect your login credentials.

How does U2F protect against phishing?

U2F – second-factor authentication with a hardware key – is the most secure way to protect your online accounts, particularly from phishing attacks. It is also more secure than second-factor authentication via OTP or TOTP, that’s why we at Tutanota highly recommend to activate a hardware key to protect your encrypted mailbox.

Phishing emails are becoming more and more sophisticated which increases the risk of falling for such attacks. The sender of the phishing email usually tries to make you click a link where you are supposed to enter your password. Should this happen, the attacker can then easily steal your password and take over your account. However, if a second factor has been activated on your account, the password will be useless to the attacker and your account will be safe.

On top of that, a U2F-enabled user login is bound to the origin; this means that only the real site can authenticate with the key (second factor). The authentication will fail on any fake phishing site even if the user was fooled into thinking it was real.

Why should you activate a second factor?

  1. U2F increases the protection of your accounts (such as email, drive, social media accounts).
  2. U2F is the most secure version of two-factor authentication.
  3. A U2F device creates a cryptographic key to unlock your account.
  4. Phishing attacks become close to impossible with U2F.

How does U2F work?

For the user, U2F is really simple. You can activate the same U2F hardware key on all your accounts, such as Tutanota, Amazon, or Twitter. When you login, you enter your user name and password, and then you simply need to stick the USB-like hardware key into your device and tap it to finish the authentication process.

On a technical side, the process is much more complex. The Fido Alliance explains the process like this:

“The U2F device and protocol need to guarantee user privacy and security. At the core of the protocol, the U2F device has a capability (ideally, embodied in a secure element) which mints an origin-specific public/private key pair. The U2F device gives the public key and a Key Handle to the origin online service or website during the user registration step.”

“Later, when the user performs an authentication, the origin online service or website sends the Key Handle back to the U2F device via the browser. The U2F device uses the Key Handle to identify the user's private key, and creates a signature which is sent back to the origin to verify the presence of the U2F device. Thus, the Key Handle is simply an identifier of a particular key on the U2F device.”

“The key pair created by the U2F device during registration is origin specific. During registration, the browser sends the U2F device a hash of the origin (combination of protocol, hostname and port). The U2F device returns a public key and a Key Handle. Very importantly, the U2F device encodes the requesting origin into the Key Handle.”

“Later, when the user attempts to authenticate, the server sends the user's Key Handle back to the browser. The browser sends this Key Handle and the hash of the origin which is requesting the authentication. The U2F device ensures that it had issued this Key Handle to that particular origin hash before performing any signing operation. If there is a mismatch no signature is returned. This origin check ensures that the public keys and Key Handles issued by a U2F device to a particular online service or website cannot be exercised by a different online service or website (i.e., a site with a different name on a valid SSL certificate). This is a critical privacy property -- assuming the browser is working as it should, a site can verify identity strongly with a user's U2F device only with a key which has been issued to that particular site by that particular U2F device. If this origin check was not present, a public key and Key Handle issued by a U2F device could be used as a 'supercookie' which allows multiple colluding sites to strongly verify and correlate a particular user's identity.”

”The user is able to use the same device across multiple sites on the web -- it thus serves as the user's physical web keychain with multiple (virtual) keys to various sites provisioned from one physical device. Using the open U2F standard, any origin will be able to use any browser (or OS) which has U2F support to talk to any U2F compliant device presented by the user to enable strong authentication.“


History

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices. It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).

While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance alone.

You will find a list of all services that are supporting U2F keys here.

Goal: Strong Authentication and Privacy for the Web

The U2F eco-system is designed to provide strong authentication for users on the web while preserving the user's privacy.

The user carries a 'U2F device' as a second factor that logs them into their online accounts. This way, these accounts can be kept secure, also from phishing attacks.

U2F hardware keys are a great achievement as these make sure that people and their online accounts are kept secure on the web.

LOAD COMMENTS