What is FIDO U2F?
U2F is an open authentication standard that enables internet users to securely access any number of online services with one single security key instantly and with no drivers or client software needed. FIDO2 is the latest generation of the U2F protocol.
Where did U2F come from?
U2F was created by Google and Yubico, and support from NXP, with the vision to take strong public key crypto to the mass market. Today, the technical specifications are hosted by the open-authentication industry consortium known as the FIDO Alliance. U2F has been successfully deployed by large scale services, including Facebook, Gmail, Dropbox, GitHub, Salesforce.com, the UK government, and many more.
Click here for a list of featured services that use FIDO U2F.
How it works – 3 options, 2 simple steps to authentication
Origin binding: defense against phishing
With the YubiKey, user login is bound to the origin, meaning that only the real site can authenticate with the key. The authentication will fail on the fake site even if the user was fooled into thinking it was real. This greatly mitigates against the increasing volume and sophistication of phishing attacks and stops account takeovers.
What are the advantages of U2F?
- Strong security — Strong two-factor authentication using public key crypto that protects against phishing, session hijacking, man-in-the-middle, and malware attacks.
- Easy to use — Works out-of-the-box thanks to native support in platforms and browsers including Chrome, Opera, and Mozilla, enabling instant authentication to any number of services. No codes to type or drivers to install.
- High privacy — Allows users to choose, own, and control their online identity. Each user can also opt to have multiple identities, including anonymous, with no personal information associated with the identity. A U2F Security Key generates a new pair of keys for every service, and only the service stores the public key. With this approach, no secrets are shared between service providers, and an affordable U2F Security Key can support any number of services.
- Multiple choices — Open standards provide flexibility and product choice. Designed for existing phones and computers, for many authentication modalities, and with different communication methods (USB and NFC).
- Cost-efficient — Users can choose from a range of affordable devices online. Yubico offers free and open source server software for back-end integration through the Yubico Developer Program.
- Electronic identity — Identity proofing is offered for organizations requiring a higher level of identity assurance. Through service providers, it is possible to bind your U2F Security Key to your real government issued identity.
- Blog: Yubico Launches Passwordless Login with new Security Key and FIDO2
- Blog: Google Publishes Two-Year Study on Use of FIDO U2F Security Keys
- Blog: Over a Dozen Services Supporting FIDO U2F
- Blog: A milestone for wireless U2F
- Blog: FIDO U2F Now Offers Contactless, Tokenless, Passwordless Mobile Authentication
To learn more about U2F for developers, visit the Yubico Developer Program.
Q: What is a Security Key and how do I get one?
A: The Security Key by Yubico relies on high-security, public key cryptography using the same tried and trusted hardware from Yubico. As U2F protocol support begins to spread across internet applications, the same Security Key will work with other U2F-enabled applications. The keys are available worldwide from Amazon.com and the Yubico store.
Q: Can I use my Security Key with multiple Google accounts?
A: Yes, the same FIDO U2F Security Key can be used to secure multiple Google accounts.
Q: How many services can the Security Key be associated with?
A: There is no practical limit to the U2F secured services the Security Key can be associated with. During the registration process, the key pairs are generated on the device (secure element) but the key pairs are not stored on the Security Key. Instead, the key pair (public key and encrypted private key) are stored by each relying party/service that initiated the registration. Therefore, this approach allows for an unlimited number of services to be associated with the Security Key.
Q: Can I use the U2F YubiKey I have for Gmail and other Google Accounts with Dropbox?
A: Yes!! The same U2F YubiKey can be used with any number of services and there is no practical limit to the U2F-secured services the FIDO U2F Security Key, Yubikey 4, and Yubikey NEO can be associated with.
During the registration process, the key pairs are generated on the device (secure element) but the key pairs are not stored on the YubiKeys. Instead, the key pair (public key and encrypted private key) are stored by each relying party/service that initiated the registration. Therefore, this approach allows for an unlimited number of services to be associated with the U2F-certified YubiKeys.
This means the same U2F-enabled YubiKey you use for Gmail or G Suite can be used with your Facebook, GitHub, and Dropbox accounts.
Q: Can I log in to my Gmail account on my mobile device?
A: The YubiKey NEO includes the NFC transport, which is standard on most Android devices.
Q: What browsers support the U2F-certified YubiKeys?
A: You must be running the latest version of the Google Chrome browser, which includes support for the U2F protocol. To check the version number, in your browser, click the Chrome menu in the toolbar, then select About Google Chrome. (Support for U2F is in versions 38 and later.)
At this time, Chrome is the only browser supported. However, Mozilla is currently building support for U2F and Microsoft is working within the FIDO Alliance to eventually bring support to Windows 10.
Q: Can I use my Security Key to enable strong 2-factor authentication for my enterprise?
A: Any online service or application can integrate with the U2F protocol. Several of our partners, including Okta and Duo Security, offer enterprise server solutions supporting U2F. Learn more about Yubico’s Featured Integrations.
Q: Is the YubiKey a biometric device?
A: No. The touch of a finger provides a small electrical charge that activates the key. There are no false positives/negatives to worry about.
Q: How can I setup my Linux instance for use with U2F?
A: If you have a Security Key (blue color), follow these instructions:
- Go to https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules
- Download or create a copy of the file named 70-u2f.rules into the Linux directory /etc/udev/rules.d/ (if this file already exists, ensure that the content matches the one provided on github.com/Yubico in the previous link)
- Save your file.
- Reboot your system.
Q: Why doesn’t the YubiKey Personalization Tool recognize my Security Key?
A: The YubiKey Personalization Tool is used to program YubiKeys such as YubiKey 4 and YubiKey NEO, which offer other protocols in addition to U2F. The FIDO U2F Security Key by Yubico is a U2F-only device that cannot be programmed.