U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers or client software needed.
U2F was created by Google and Yubico, with contribution from NXP, and is today hosted by the open-authentication industry consortium FIDO Alliance. The technical specifications were launched in late 2014, including native support in Google Accounts and Chrome, and have since resulted in a thriving ecosystem of hardware, software, and service providers. Support for U2F in the Opera browser was added starting with Version 40.
The U2F protocol passed a significant milestone in June 2015, adding new transport protocols that address support for mobile devices. U2F works on mobile devices using NFC wireless transport. In December 2015, GitHub was the first service to support U2F over NFC paired with Google Authenticator. In 2016, FIDO began developing specification improvements called FIDO 2.0, while the World Wide Web Consortium (W3C) began standardizing browser-based Web Authentication (Web AuthN) API specifications based on work FIDO completed in Dec. 2015. Learn more about YubiKey for Mobile.
FIDO U2F provides strong authentication over USB, NFC, Bluetooth, and in passwordless/tokenless applications
Open Standards — Open identity standards provide flexibility and product choice. Standards such as FIDO U2F, OpenID Connect, and OAuth are common identity standards integrated into today’s IT and consumer identity environments.
Strong security — Strong two-factor authentication, using public key crypto and with native support in the browser (starting with Chrome). Protects against phishing, session hijacking, man in the middle, and malware attacks.
Easy to use — Works out-of-the-box, enabling instant authentication to any number of services. No codes to re-type and no drivers to install.
High privacy — Allows users to choose, own and control their secure online identity. Each user can also choose to have multiple identities, including anonymous (no personal information associated with the identity). A U2F device generates a new pair of keys for every service, the public key is only stored on the specific service it connects to. With this approach no secrets are shared among service providers, and even low-cost U2F devices can support any number of services.
Multiple choices — Designed for existing phones and computers, for many authentication modalities (keychain devices, mobile phone, fingerprint reader, etc.) and with different communication methods (USB, NFC, Bluetooth).
Interoperable — Open standard backed by leading internet and financial services, including Google, Bank of America and 250 companies in the FIDO Alliance. U2F allows every service provider to be their own identity provider, or optionally let users authenticate through a federated service provider.
Cost-efficient — Service providers do not have to take the cost and support of secure distribution of U2F devices. Users can choose from a range of low-cost devices from multiple vendors, available at Amazon and other retail stores worldwide. Yubico offers free and open source server software for back-end integration.
Electronic identity — For services requiring a higher level of identity assurance, services are being developed, both online and in the physical world, for tying your U2F device to your real identity.
Secure recovery — It is recommended that users register at least two U2F devices with every service provider, which may optionally also provide the user with a backup code should a U2F device be misplaced.
How it works
This diagram explains the basic process flow of U2F:
The U2F Attestation
The purpose of the U2F attestation is simply to provide a mechanism so that a U2F relying party (a website or service) can verify the authenticity of a U2F authenticator and thereby trust its attestation certificate. A relying party queries the attestation certificate to find out information about an authenticator, such as a YubiKey. The information queried can include the vendor, the type of device, and the assurance/security properties (for example, a secure element-based device) of the authenticator. The authenticity of the attestation information is guaranteed by a digital signature which has a specified validity period.
In addition to attesting to the authenticity of a device, the attestation certificate can also be used to determine what devices can be used by a relying party. For example, a banking site might want users to be able to provide their own U2F devices for two-factor authentication, but will only allow users to use devices from certain approved vendors.
There are no requirements however to dictate what type of device or client side software is using U2F – the relying party or service can decide to accept any type of attestation certificate or a specific type.
Ready to Use
Use the YubiKey instantly with these instructions:
- YubiKey with Google accounts to access to Gmail, Google Apps, YouTube, Google+.
- YubiKey with Salesforce for IT administrators to prevent unauthorized access to the Salesforce.com platform.
- YubiKey with GitHub to access developer repositories, including using U2F over NFC on Android phones.
- YubiKey with Dropbox to access data securely stored in Dropbox.
- YubiKey with Dashlane to securely manage your passwords.
- YubiKey with Bitbucket to host version control repositories owned by Atlassian.
- YubiKey with GitLab to code, test, and deploy together.
- YubiKey with GOV.UK Verify and Digidentity to secure online transactions with the UK government.
Yubico provides alternatives for implementation:
- Standalone validation server that your server can query using a simple REST API. This is ideal if you want to make as few changes as possible to your existing code and database.
- Libraries for programming languages. With these, you have the flexibility/burden to store and access U2F artifacts yourself. This is ideal if you don’t want to deploy a standalone validation server.
To view a recording of our webinar titled “U2F: From Concept to Implementation,” see our blog.