What is FIDO U2F?
U2F is an open authentication standard that enables internet users to securely access any number of online services with one single security key instantly and with no drivers or client software needed.
Where did U2F come from?
U2F was created by Google and Yubico, and support from NXP, with the vision to take strong public key crypto to the mass market. Today, the technical specifications are hosted by the open-authentication industry consortium known as the FIDO Alliance. U2F has been successfully deployed by large scale services, including Facebook, Gmail, Dropbox, GitHub, and many more.
Click here for a list of featured services that use FIDO U2F.
How it works – 3 options, 2 simple steps to authentication
Origin binding: defense against phishing
With the U2F-enabled Security Key, such as the YubiKey, user login is bound to the origin, meaning that only the real site can authenticate with the key. The authentication will fail on the fake site even if the user was fooled into thinking it was real. This greatly mitigates against the increasing volume and sophistication of phishing attacks and stops account takeovers.
What are the advantages of U2F?
- Strong security — Strong two-factor authentication using public key crypto that protects against phishing, session hijacking, man-in-the-middle, and malware attacks.
- Easy to use — Works out-of-the-box thanks to native support in platforms and browsers including Chrome, Opera, and Mozilla, enabling instant authentication to any number of services. No codes to type or drivers to install.
- High privacy — Allows users to choose, own, and control their online identity. Each user can also opt to have multiple identities, including anonymous, with no personal information associated with the identity. A U2F Security Key generates a new pair of keys for every service, and only the service stores the public key. With this approach, no secrets are shared between service providers, and an affordable U2F Security Key can support any number of services.
- Multiple choices — Open standards provide flexibility and product choice. Designed for existing phones and computers, for many authentication modalities, and with different communication methods (USB and NFC).
- Cost-efficient — Users can choose from a range of affordable devices online. Yubico offers free and open source server software for back-end integration through the Yubico Developer Program.
- Electronic identity — Identity proofing is offered for organizations requiring a higher level of identity assurance. Through service providers, it is possible to bind your U2F Security Key to your real government issued identity.
- Blog: Yubico Launches Passwordless Login with new Security Key and FIDO2
- Blog: Google Publishes Two-Year Study on Use of FIDO U2F Security Keys
- Blog: Over a Dozen Services Supporting FIDO U2F
- Blog: A milestone for wireless U2F
- Blog: FIDO U2F Now Offers Contactless, Tokenless, Passwordless Mobile Authentication
To learn more about U2F for developers, visit the Yubico Developer Program.