U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers, or client software needed.
U2F was created by Google and Yubico, and support from NXP, with the vision to take strong public key crypto to the mass market. Today, the technical specifications are hosted by the open-authentication industry consortium known as the FIDO Alliance. U2F has been successfully deployed by large scale services, including Gmail, Dropbox, GitHub, Salesforce.com, the UK government, and many more.
FIDO U2F provides strong authentication over USB, NFC, Bluetooth, and in passwordless/tokenless applications
Strong security — Strong two-factor authentication, using public key crypto that protects against phishing, session hijacking, man-in-the-middle, and malware attacks.
Easy to use — Works out-of-the-box thanks to native support in platforms and browsers (starting with Chrome, and Opera, with Mozilla coming in 2017) enabling instant authentication to any number of services. No codes to type, or drivers to install.
High privacy — Allows users to choose, own, and control their online identity. Each user can also opt to have multiple identities, including anonymous (no personal information associated with the identity). A U2F device generates a new pair of keys for every service, and only the service stores the public key. With this approach, no secrets are shared between service providers, and even low-cost U2F devices can support any number of services.
Multiple choices — Open standards provide flexibility and product choice. Designed for existing phones and computers, for many authentication modalities (keychain devices, for integration directly into computing devices, etc.), and with different communication methods (USB, NFC, Bluetooth).
Interoperable — Backed by leading internet and financial services. U2F allows every service provider to be their own identity provider, or provide users the option to authenticate through a federated service provider.
Cost-efficient — Service providers do not have to take on the cost and support of securely distributing U2F devices. Users can choose from a range of low-cost devices from multiple vendors, available at Amazon and other retail stores worldwide. Yubico offers free and open source server software for back-end integration.
Electronic identity — For organizations requiring a higher level of identity assurance, there are services for tying your U2F device to your real identity both online and offline.
Secure recovery — It is recommended that users register at least two U2F devices with every service provider should a U2F device be misplaced. Services may also provide the user with a backup code that they store in a safe place.
Ready to Use
Use a U2F Security Key or YubiKey instantly with these instructions:
- YubiKey with Google accounts to access to Gmail, Google Apps, YouTube, Google+.
- YubiKey with Salesforce for IT administrators to prevent unauthorized access to the Salesforce.com platform.
- YubiKey with GitHub to access developer repositories, including using U2F over NFC on Android phones.
- YubiKey with Dropbox to access data securely stored in Dropbox.
- YubiKey with Dashlane to securely store and manage your passwords.
- YubiKey with Bitbucket to host version control repositories owned by Atlassian.
- YubiKey with GitLab to code, test, and deploy together.
- YubiKey with GOV.UK Verify and Digidentity to secure online transactions with the UK government.
How it works
This diagram explains the basic process flow of U2F:
The U2F Attestation
The purpose of the U2F attestation is simply to provide a mechanism so that a U2F relying party (a website or service) can verify the authenticity of a U2F authenticator and thereby trust its attestation certificate. A relying party queries the attestation certificate to find out information about an authenticator, such as a YubiKey. The information queried can include the vendor, the type of device, and the assurance/security properties (for example, a secure element-based device) of the authenticator. The authenticity of the attestation information is guaranteed by a digital signature which has a specified validity period.
In addition to attesting to the authenticity of a device, the attestation certificate can also be used to determine what devices can be used by a relying party. For example, a banking site might want users to be able to provide their own U2F devices for two-factor authentication, but will only allow users to use devices from certain approved vendors.
There are no requirements however to dictate what type of device or client side software is using U2F – the relying party or service can decide to accept any type of attestation certificate or a specific type.
Free Open Source Code and Servers
Yubico provides alternatives for implementation:
- Standalone validation server that your server can query using a simple REST API. This is ideal if you want to make as few changes as possible to your existing code and database.
- Libraries for programming languages. With these, you have the flexibility/burden to store and access U2F artifacts yourself. This is ideal if you don’t want to deploy a standalone validation server.
To view a recording of our webinar titled “U2F: From Concept to Implementation,” see our blog.
- U2F Protocol
- Yubico’s U2F demo site
- Yubico & FIDO U2F History (Year 1748-2017)
- Blog: Over a Dozen Services Supporting FIDO U2F
- Blog: A milestone for wireless U2F
- Blog: FIDO U2F Now Offers Contactless, Tokenless, Passwordless Mobile Authentication
- Blog: Google Publishes Two-Year Study on Use of FIDO U2F Security Keys