fbpx
Wikipedia

Universal 2nd Factor

January 01, 1970

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards.[1][2][3][4][5] It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).[6]

While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.[7][8]

Advantages and disadvantages edit

While time-based one-time password (TOTPs) (e.g. 6-digit codes generated on Google Authenticator) were a significant improvement over SMS-based security codes, a number of security vulnerabilities were still possible to exploit, which U2F sought to improve. Specifically:

Comparison of security issues between TOTP and U2F
Issue TOTP U2F
Shared secret
  • Plaintext or QR code transmission of shared secret between server and user
  • Shared secret may be stored in plaintext on server
  • Transmission of public key challenge / response
  • Private key only stored on user hardware device
Man-in-the-middle attack
  • Plaintext code response vulnerable to interception and MITM attack if user has been phished by malicious website
  • Challenge / response is signed (encoding originating domain/website) to prevent interception and reuse
Convenience / eavesdropping
  • Plaintext code is displayed and typed by user manually, visually
  • Prone to mistyping, error
  • Transmission / creation of authentication code is via USB or NFC between hardware key and computer without manual typing steps

In terms of disadvantages, one significant difference and potential drawback to be considered regarding hardware-based U2F solutions is that unlike with TOTP shared-secret methods, there is no possibility of "backing up" recovery codes or shared secrets. If a hardware duplicate or alternative hardware key is not kept and the original U2F hardware key is lost, no recovery of the key is possible (because the private key exists only in hardware). Therefore, for services that do not provide any alternative account recovery method, the use of U2F should be carefully considered.

Design edit

The USB devices communicate with the host computer using the human interface device (HID) protocol, essentially mimicking a keyboard.[9][failed verificationsee discussion] This avoids the need for the user to install special hardware driver software in the host computer and permits application software (such as a browser) to directly access the security features of the device without user effort other than possessing and inserting the device. Once communication is established, the application exercises a challenge–response authentication with the device using public-key cryptography methods and a secret unique device key manufactured into the device.[10]

Vulnerabilities edit

The device key is vulnerable to malicious manufacturer duplication.[citation needed]

In 2020, independent security researchers found a method to extract private keys from Google Titan Key, a popular U2F hardware security token.[11][12][13] The method required physical access to the key for several hours, several thousand euros-worth of equipment, and was destructive to the plastic case of the key.[11][12][13] The attackers concluded that the difficulty of the attack meant that people were still safer to use the keys than not.[11][12][13] The attack was possible due to a vulnerability in the A700X microchip made by NXP Semiconductors, which is also used in security tokens made by Feitian and Yubico, meaning that those tokens are also vulnerable.[11][14] The vulnerability was responsibly disclosed to the affected manufacturers so that it might be fixed in future products.[11][12][13]

Support and use edit

U2F security keys are supported by Google Chrome since version 38,[2] Firefox since version 57[15] and Opera since version 40. U2F security keys can be used as an additional method of two-step verification on online services that support the U2F protocol, including Google,[2] Azure,[16] Dropbox,[17] GitHub,[18] GitLab,[19] Bitbucket,[20] Nextcloud,[21] Facebook,[22] and others.[23]

Chrome, Firefox, and Opera were, as of 2015, the only browsers supporting U2F natively. Microsoft has enabled FIDO 2.0 support for Windows 10's Windows Hello login platform.[24] Microsoft Edge[25] browser gained support for U2F in the October 2018 Windows Update. Microsoft accounts, including Office 365, OneDrive, and other Microsoft services, do not yet have U2F support. Mozilla has integrated it into Firefox 57, and enabled it by default in Firefox 60[26][27][28][29] and Thunderbird 60.[30] Microsoft Edge starting from build 17723 support FIDO2.[31] As of iOS and iPadOS 13.3 Apple now supports U2F in the Safari browser on those platforms.

Specifications edit

 
The evolution of the U2F protocol standard

The U2F standard has undergone two major revisions:

  • U2F 1.0 Proposed Standard (October 9, 2014)[32]
  • U2F 1.2 Proposed Standard (April 11, 2017)[33]

Additional specification documents may be obtained from the FIDO web site.[34]

The U2F 1.0 Proposed Standard (October 9, 2014) was the starting point for a short-lived specification known as the FIDO 2.0 Proposed Standard (September 4, 2015). The latter was formally submitted to the World Wide Web Consortium (W3C) on November 12, 2015.[35] Subsequently, the first Working Draft of the W3C Web Authentication (WebAuthn) standard was published on May 31, 2016. The WebAuthn standard has been revised numerous times since then, becoming a W3C Recommendation on March 4, 2019.

Meanwhile the U2F 1.2 Proposed Standard (April 11, 2017) became the starting point for the Client to Authenticator Protocol (CTAP) Proposed Standard, which was published on September 27, 2017. FIDO CTAP complements W3C WebAuthn, both of which are in scope for the FIDO2 Project.

WebAuthn and CTAP provide a complete replacement for U2F, which has been renamed "CTAP1" in the latest version of the FIDO2 standard.[36] The WebAuthn protocol is backward-compatible (via the AppID extension) with U2F-only security keys[37] but the U2F protocol is not compatible with a WebAuthn-only authenticator.[38][39][36] Some authenticators support both U2F and WebAuthn while some WebAuthn clients support keys created via the legacy U2F API.[citation needed]

References edit

  1. ^ Turner, Adam (November 5, 2014). "Google security keys may offer extra layer of online protection". The Sydney Morning Herald. Fairfax Media. Retrieved November 28, 2014.
  2. ^ a b c . Yubico. Archived from the original on August 18, 2017. Retrieved August 17, 2017.
  3. ^ Bradley, Tony (October 21, 2014). "How a USB key drive could remove the hassles from two-factor authentication". PCWorld. IDG Consumer & SMB. Retrieved November 28, 2014.
  4. ^ "FIDO Universal 2nd Factor". Yubico AB. Retrieved November 28, 2014.
  5. ^ Diallo, Amadou (November 30, 2013). "Google Wants To Make Your Passwords Obsolete". Forbes. Retrieved November 28, 2014.
  6. ^ Octopus, Cipher. "An In-Depth Guide to FIDO Protocols: U2F, UAF, and WebAuthn (FIDO2)". blog.strongkey.com. Retrieved 9 March 2021.
  7. ^ "FIDO Alliance – download specifications". FIDO Alliance. Retrieved October 19, 2017.
  8. ^ Krebs, Brian (October 14, 2014). "Google Accounts Now Support Security Keys". Krebs on Security. Retrieved November 28, 2014.
  9. ^ "FIDO U2F HID Protocol Specification". FIDO Alliance. October 9, 2014. Retrieved July 24, 2018.
  10. ^ "Key generation". Yubico. Retrieved 31 July 2018.
  11. ^ a b c d e "Hackers can clone Google Titan 2FA keys using a side channel in NXP chips". Ars Technica. 2021-01-08. Retrieved 2021-01-13.
  12. ^ a b c d Cimpanu, Catalin (2021-01-08). "New side-channel attack can recover encryption keys from Google Titan security keys". ZDNet. Retrieved 2021-01-13.
  13. ^ a b c d "Researchers Show Google's Titan Security Keys Can Be Cloned". SecurityWeek. 2021-01-11. Retrieved 2021-01-13.
  14. ^ Ducklin, Paul (2021-01-11). "Google Titan security keys hacked by French researchers". Naked Security. Retrieved 2021-01-13.
  15. ^ J.C. Jones (April 4, 2019). "Backward-Compatibility FIDO U2F support shipping soon in Firefox". Mozilla Security Blog.
  16. ^ "Passwordless authentication options for Azure Active Directory". Retrieved 14 April 2021.
  17. ^ Heim, Patrick; Patel, Jay (August 12, 2015). "Introducing U2F support for secure authentication". Dropbox Blog. Retrieved August 12, 2015.
  18. ^ Olsen, Risk (October 1, 2015). "GitHub supports Universal 2nd Factor authentication". github.com/blog. GitHub. Retrieved October 1, 2015.
  19. ^ Nwaigwe, Amara (June 22, 2016). "Support for Universal 2nd Factor Authentication". GitLab Blog. Retrieved July 9, 2016.
  20. ^ Kells, TJ (June 22, 2016). "Universal 2nd Factor (U2F) now supported in Bitbucket Cloud". Bitbucket Blog. Retrieved June 22, 2016.
  21. ^ "Nextcloud 11 sets new standard for security and scalability". Nextcloud. 13 December 2016. Retrieved 23 December 2016.
  22. ^ "Security Key for safer logins with a touch". Facebook. Retrieved 27 January 2017.
  23. ^ "USB-Dongle Authentication". Josh Davis. Retrieved 23 January 2023.
  24. ^ Ingalls, Dustin (February 13, 2015). "Microsoft Announces FIDO Support Coming to Windows 10". Windows Blog. Retrieved October 3, 2015.
  25. ^ "Microsoft Edge now supports passwordless sign-ins". Engadget. Retrieved 2018-10-04.
  26. ^ "Firefox 57 has native support for U2F". Mozilla. Retrieved November 1, 2017.
  27. ^ "U2F Support Addon". Retrieved May 8, 2016.
  28. ^ "Firefox Nightly enables support for FIDO U2F Security Keys". Yubico blog. 2017-09-22. Retrieved September 27, 2017.
  29. ^ "Firefox 60.0 release notes". Retrieved May 11, 2018.
  30. ^ "Thunderbird 60.0 release notes". Retrieved June 22, 2018.
  31. ^ "Introducing Web Authentication in Microsoft Edge — Microsoft Edge Dev BlogMicrosoft Edge Dev Blog". blogs.windows.com. 2018-07-30. Retrieved 2018-08-03.
  32. ^ "FIDO U2F V1.0 Proposed Standard 2014-10-09". FIDO Alliance. 9 October 2014. Retrieved 3 May 2019.
  33. ^ "FIDO U2F V1.2 Proposed Standard 2017-04-11". FIDO Alliance. 11 April 2017. Retrieved 3 May 2019.
  34. ^ "Download Specifications". FIDO Alliance. Retrieved 13 February 2019.
  35. ^ "Submission Request to W3C: FIDO 2.0 Platform Specifications 1.0". World Wide Web Consortium. Retrieved 12 February 2019.
  36. ^ a b Chong, Jerrod (1 August 2018). "10 Things You've Been Wondering About FIDO2, WebAuthn, and a Passwordless World". Retrieved 1 May 2019.
  37. ^ Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Liao, Angelo; Lindemann, Rolf; Lundberg, Emil (eds.). "Web Authentication: An API for accessing Public Key Credentials Level 1 (latest)". World Wide Web Consortium (W3C). Retrieved 4 March 2019.
  38. ^ Hakamine, Frederico (22 January 2019). "Understanding FIDO Standards: Your Go-To Guide". Okta. Retrieved 22 July 2021.
  39. ^ Salam, Feroz (25 August 2018). "Why you can't use Firefox to register a U2F key with Google". Padlock. Retrieved 1 May 2019.

January 01, 1970
universal, factor, open, standard, that, strengthens, simplifies, factor, authentication, using, specialized, universal, serial, near, field, communication, devices, based, similar, security, technology, found, smart, cards, succeeded, fido2, project, which, i. Universal 2nd Factor U2F is an open standard that strengthens and simplifies two factor authentication 2FA using specialized Universal Serial Bus USB or near field communication NFC devices based on similar security technology found in smart cards 1 2 3 4 5 It is succeeded by the FIDO2 Project which includes the W3C Web Authentication WebAuthn standard and the FIDO Alliance s Client to Authenticator Protocol 2 CTAP2 6 While initially developed by Google and Yubico with contribution from NXP Semiconductors the standard is now hosted by the FIDO Alliance 7 8 Contents 1 Advantages and disadvantages 2 Design 3 Vulnerabilities 4 Support and use 5 Specifications 6 ReferencesAdvantages and disadvantages editThis section contains a pro and con list Please help rewriting it into consolidated sections based on topics April 2023 While time based one time password TOTPs e g 6 digit codes generated on Google Authenticator were a significant improvement over SMS based security codes a number of security vulnerabilities were still possible to exploit which U2F sought to improve Specifically Comparison of security issues between TOTP and U2F Issue TOTP U2F Shared secret Plaintext or QR code transmission of shared secret between server and user Shared secret may be stored in plaintext on server Transmission of public key challenge response Private key only stored on user hardware device Man in the middle attack Plaintext code response vulnerable to interception and MITM attack if user has been phished by malicious website Challenge response is signed encoding originating domain website to prevent interception and reuse Convenience eavesdropping Plaintext code is displayed and typed by user manually visually Prone to mistyping error Transmission creation of authentication code is via USB or NFC between hardware key and computer without manual typing steps In terms of disadvantages one significant difference and potential drawback to be considered regarding hardware based U2F solutions is that unlike with TOTP shared secret methods there is no possibility of backing up recovery codes or shared secrets If a hardware duplicate or alternative hardware key is not kept and the original U2F hardware key is lost no recovery of the key is possible because the private key exists only in hardware Therefore for services that do not provide any alternative account recovery method the use of U2F should be carefully considered Design editThe USB devices communicate with the host computer using the human interface device HID protocol essentially mimicking a keyboard 9 failed verification see discussion This avoids the need for the user to install special hardware driver software in the host computer and permits application software such as a browser to directly access the security features of the device without user effort other than possessing and inserting the device Once communication is established the application exercises a challenge response authentication with the device using public key cryptography methods and a secret unique device key manufactured into the device 10 Vulnerabilities editThe device key is vulnerable to malicious manufacturer duplication citation needed In 2020 independent security researchers found a method to extract private keys from Google Titan Key a popular U2F hardware security token 11 12 13 The method required physical access to the key for several hours several thousand euros worth of equipment and was destructive to the plastic case of the key 11 12 13 The attackers concluded that the difficulty of the attack meant that people were still safer to use the keys than not 11 12 13 The attack was possible due to a vulnerability in the A700X microchip made by NXP Semiconductors which is also used in security tokens made by Feitian and Yubico meaning that those tokens are also vulnerable 11 14 The vulnerability was responsibly disclosed to the affected manufacturers so that it might be fixed in future products 11 12 13 Support and use editU2F security keys are supported by Google Chrome since version 38 2 Firefox since version 57 15 and Opera since version 40 U2F security keys can be used as an additional method of two step verification on online services that support the U2F protocol including Google 2 Azure 16 Dropbox 17 GitHub 18 GitLab 19 Bitbucket 20 Nextcloud 21 Facebook 22 and others 23 Chrome Firefox and Opera were as of 2015 update the only browsers supporting U2F natively Microsoft has enabled FIDO 2 0 support for Windows 10 s Windows Hello login platform 24 Microsoft Edge 25 browser gained support for U2F in the October 2018 Windows Update Microsoft accounts including Office 365 OneDrive and other Microsoft services do not yet have U2F support Mozilla has integrated it into Firefox 57 and enabled it by default in Firefox 60 26 27 28 29 and Thunderbird 60 30 Microsoft Edge starting from build 17723 support FIDO2 31 As of iOS and iPadOS 13 3 Apple now supports U2F in the Safari browser on those platforms Specifications edit nbsp The evolution of the U2F protocol standard The U2F standard has undergone two major revisions U2F 1 0 Proposed Standard October 9 2014 32 U2F 1 2 Proposed Standard April 11 2017 33 Additional specification documents may be obtained from the FIDO web site 34 The U2F 1 0 Proposed Standard October 9 2014 was the starting point for a short lived specification known as the FIDO 2 0 Proposed Standard September 4 2015 The latter was formally submitted to the World Wide Web Consortium W3C on November 12 2015 35 Subsequently the first Working Draft of the W3C Web Authentication WebAuthn standard was published on May 31 2016 The WebAuthn standard has been revised numerous times since then becoming a W3C Recommendation on March 4 2019 Meanwhile the U2F 1 2 Proposed Standard April 11 2017 became the starting point for the Client to Authenticator Protocol CTAP Proposed Standard which was published on September 27 2017 FIDO CTAP complements W3C WebAuthn both of which are in scope for the FIDO2 Project WebAuthn and CTAP provide a complete replacement for U2F which has been renamed CTAP1 in the latest version of the FIDO2 standard 36 The WebAuthn protocol is backward compatible via the AppID extension with U2F only security keys 37 but the U2F protocol is not compatible with a WebAuthn only authenticator 38 39 36 Some authenticators support both U2F and WebAuthn while some WebAuthn clients support keys created via the legacy U2F API citation needed References edit Turner Adam November 5 2014 Google security keys may offer extra layer of online protection The Sydney Morning Herald Fairfax Media Retrieved November 28 2014 a b c What browsers support U2F Yubico Archived from the original on August 18 2017 Retrieved August 17 2017 Bradley Tony October 21 2014 How a USB key drive could remove the hassles from two factor authentication PCWorld IDG Consumer amp SMB Retrieved November 28 2014 FIDO Universal 2nd Factor Yubico AB Retrieved November 28 2014 Diallo Amadou November 30 2013 Google Wants To Make Your Passwords Obsolete Forbes Retrieved November 28 2014 Octopus Cipher An In Depth Guide to FIDO Protocols U2F UAF and WebAuthn FIDO2 blog strongkey com Retrieved 9 March 2021 FIDO Alliance download specifications FIDO Alliance Retrieved October 19 2017 Krebs Brian October 14 2014 Google Accounts Now Support Security Keys Krebs on Security Retrieved November 28 2014 FIDO U2F HID Protocol Specification FIDO Alliance October 9 2014 Retrieved July 24 2018 Key generation Yubico Retrieved 31 July 2018 a b c d e Hackers can clone Google Titan 2FA keys using a side channel in NXP chips Ars Technica 2021 01 08 Retrieved 2021 01 13 a b c d Cimpanu Catalin 2021 01 08 New side channel attack can recover encryption keys from Google Titan security keys ZDNet Retrieved 2021 01 13 a b c d Researchers Show Google s Titan Security Keys Can Be Cloned SecurityWeek 2021 01 11 Retrieved 2021 01 13 Ducklin Paul 2021 01 11 Google Titan security keys hacked by French researchers Naked Security Retrieved 2021 01 13 J C Jones April 4 2019 Backward Compatibility FIDO U2F support shipping soon in Firefox Mozilla Security Blog Passwordless authentication options for Azure Active Directory Retrieved 14 April 2021 Heim Patrick Patel Jay August 12 2015 Introducing U2F support for secure authentication Dropbox Blog Retrieved August 12 2015 Olsen Risk October 1 2015 GitHub supports Universal 2nd Factor authentication github com blog GitHub Retrieved October 1 2015 Nwaigwe Amara June 22 2016 Support for Universal 2nd Factor Authentication GitLab Blog Retrieved July 9 2016 Kells TJ June 22 2016 Universal 2nd Factor U2F now supported in Bitbucket Cloud Bitbucket Blog Retrieved June 22 2016 Nextcloud 11 sets new standard for security and scalability Nextcloud 13 December 2016 Retrieved 23 December 2016 Security Key for safer logins with a touch Facebook Retrieved 27 January 2017 USB Dongle Authentication Josh Davis Retrieved 23 January 2023 Ingalls Dustin February 13 2015 Microsoft Announces FIDO Support Coming to Windows 10 Windows Blog Retrieved October 3 2015 Microsoft Edge now supports passwordless sign ins Engadget Retrieved 2018 10 04 Firefox 57 has native support for U2F Mozilla Retrieved November 1 2017 U2F Support Addon Retrieved May 8 2016 Firefox Nightly enables support for FIDO U2F Security Keys Yubico blog 2017 09 22 Retrieved September 27 2017 Firefox 60 0 release notes Retrieved May 11 2018 Thunderbird 60 0 release notes Retrieved June 22 2018 Introducing Web Authentication in Microsoft Edge Microsoft Edge Dev BlogMicrosoft Edge Dev Blog blogs windows com 2018 07 30 Retrieved 2018 08 03 FIDO U2F V1 0 Proposed Standard 2014 10 09 FIDO Alliance 9 October 2014 Retrieved 3 May 2019 FIDO U2F V1 2 Proposed Standard 2017 04 11 FIDO Alliance 11 April 2017 Retrieved 3 May 2019 Download Specifications FIDO Alliance Retrieved 13 February 2019 Submission Request to W3C FIDO 2 0 Platform Specifications 1 0 World Wide Web Consortium Retrieved 12 February 2019 a b Chong Jerrod 1 August 2018 10 Things You ve Been Wondering About FIDO2 WebAuthn and a Passwordless World Retrieved 1 May 2019 Balfanz Dirk Czeskis Alexei Hodges Jeff Jones J C Jones Michael B Kumar Akshay Liao Angelo Lindemann Rolf Lundberg Emil eds Web Authentication An API for accessing Public Key Credentials Level 1 latest World Wide Web Consortium W3C Retrieved 4 March 2019 Hakamine Frederico 22 January 2019 Understanding FIDO Standards Your Go To Guide Okta Retrieved 22 July 2021 Salam Feroz 25 August 2018 Why you can t use Firefox to register a U2F key with Google Padlock Retrieved 1 May 2019 Retrieved from https en wikipedia org w index php title Universal 2nd Factor amp oldid 1219769428, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.