U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers or client software needed.
U2F was created by Google and Yubico, with contribution from NXP, and is today hosted by the open-authentication industry consortium FIDO Alliance. The technical specifications were launched in late 2014, including native support in Google Accounts and Chrome, and have since resulted in a thriving ecosystem of hardware, software and service providers. The U2F protocol passed a significant milestone in June 2015, adding new transport protocols that address support for mobile devices.
U2F is used with USB devices, including YubiKeys, as one of many authentication methods
Strong security — Strong two-factor authentication, using public key crypto and with native support in the browser (starting with Chrome). Protects against phishing, session hijacking, man in the middle, and malware attacks.
Easy to use — Works out-of-the-box, enabling instant authentication to any number of services. No codes to re-type and no drivers to install.
High privacy — Allows users to choose, own and control their secure online identity. Each user can also choose to have multiple identities, including anonymous (no personal information associated with the identity). A U2F device generates a new pair of keys for every service, the public key is only stored on the specific service it connects to. With this approach no secrets are shared among service providers, and even low-cost U2F devices can support any number of services.
Multiple choices — Designed for existing phones and computers, for many authentication modalities (keychain devices, mobile phone, fingerprint reader, etc.) and with different communication methods (USB, NFC, Bluetooth).
Interoperable — Open standard backed by leading internet and financial services, including Google, Bank of America and 250 companies in the FIDO Alliance. U2F allows every service provider to be their own identity provider, or optionally let users authenticate through a federated service provider.
Cost-efficient — Service providers do not have to take the cost and support of secure distribution of U2F devices. Users can choose from a range of low-cost devices from multiple vendors, available at Amazon and other retail stores worldwide. Yubico offers free and open source server software for back-end integration.
Electronic identity – For services requiring a higher level of identity assurance, services are being developed, both online and in the physical world, for tying your U2F device to your real identity.
Secure recovery — It is recommended that users register at least two U2F devices with every service provider, which may optionally also provide the user with a backup code should a U2F device be misplaced.
How it works
This diagram explains the basic process flow of U2F:
The U2F Attestation
The purpose of the U2F attestation is simply to provide a mechanism so that a U2F relying party (a website or service) can verify the authenticity of a U2F authenticator and thereby trust its attestation certificate. A relying party queries the attestation certificate to find out information about an authenticator, such as a YubiKey. The information queried can include the vendor, the type of device, and the assurance/security properties (for example, a secure element-based device) of the authenticator. The authenticity of the attestation information is guaranteed by a digital signature which has a specified validity period.
In addition to attesting to the authenticity of a device, the attestation certificate can also be used to determine what devices can be used by a relying party. For example, a banking site might want users to be able to provide their own U2F devices for two-factor authentication, but will only allow users to use devices from certain approved vendors.
There are no requirements however to dictate what type of device or client side software is using U2F – the relying party or service can decide to accept any type of attestation certificate or a specific type.
Yubico provides three alternatives for implementation:
- Plugins for Content Management Systems (CMS), such as WordPress and Django. This is the easiest alternative if you are using a supported CMS.
- Standalone validation server that your server can query using a simple REST API. This is ideal if you want to make as few changes as possible to your existing code and database.
- Libraries for programming languages. With these, you have the flexibility/burden to store and access U2F artifacts yourself. This is ideal if you don’t want to deploy a standalone validation server.
To view a recording of our webinar titled “U2F: From Concept to Implementation,” see our blog.