Stina Ehrensvard

Why FIDO U2F Was Designed to Protect Your Privacy

If you are not a dictator, you probably love the Internet.

During the Arab Spring protests, social media played an important role in helping people to connect and organize protests against non-democratic governments. Inevitably, this created a backlash against such sites, intimidating them to provide information about individuals. In a discussion with a security engineer at one of the leading providers in this field, I really understood the concerns and the moral dilemma – you provide the tools, but also expose your user base, ultimately leading to punishment and death. One way it was phrased was “There have been times when we wished we didn’t have any personal data about our users. Arab Spring was one of those events.”

This highlights a key problem – do social media sites and e-mail providers themselves have a responsibility to ensure the integrity of their user base and their accounts? Even if a service is provided for free and on a best-effort basis?

Account integrity has been one of the main drivers for myself and Yubico. With this in mind, we’ve been one of the main contributors behind FIDO U2F (Universal Second Factor);  a high-security authentication technology designed to protect your online privacy. Two weeks ago, Google Accounts enabled support for FIDO U2F, and since then we have donated a large amount of blue Security Keys to global dissidents to help them protect their online identities from assaults by non-democratic forces.

The FIDO U2F Security Key is designed to be anonymous, a key without any publicly available serial number or central authority. The device is not tied to a user’s computer, phone, credit card, fingerprint or any means of a real identity. Every time you register a device to a new service, it generates a new set of cryptographic secrets that are only stored with the specific service, leaving no footprints. No personal data nor secrets are shared among service providers, making it impossible to track the user across multiple web sites.

Another aspect is openness and transparency; the technology behind U2F is public and documented. Anyone can implement and review, the are no hidden secrets. Yubico is actively contributing with open-source code to allow third-parties to make their own implementations. It is available to be used for good guys and for bad ones, but that is the way it has to be. Any organization that has tried to own and control online identity has failed.

YubiKeys and Security Keys supporting U2F are now available for anyone to order from our store and Amazon. In the future, you will walk into a retail store, and hanging among the gift cards,  any number of real and hidden secure online identities will be available for you.

In the picture above, a young Egyptian man paints civic-minded messages on a wall in downtown Alexandria, February 2011. The top line of the message he is painting reads, “I am Egyptian.” The message in blue on the far right reads,” I will throw the litter in the trash can.” And the second one from right reads, “I will respect the traffic lights.”

p.s. To learn more about Internet privacy from the advocates and experts in the field, join me at Pii, the Privacy Internet Identity conference, starting today in Palo Alto, CA. And read John Fontana’s blog on ZDNet on privacy.

Comments are closed.