Creating the Unphishable Security Key

Stina Ehrensvard

Stina Ehrensvard

4 minute read

How the FIDO U2F security key and YubiKey stop phishing and man-in-the-middle attacks

Security is never stronger than its weakest link, and that weakest link is often the user. Not surprisingly, phishing attacks that target users are increasing not only in volume, but also in sophistication. Google knows that. Recently, the search giant updated their login security policy to enable users to set up security keys as their preferred and only authentication method, no longer requiring the use of SMS or a mobile authenticator app.

SMS and mobile authenticator apps are no longer effective at protecting against the modern man-in-the-middle phishing attacks that are able to hijack the session.

To prevent state-of-the-art and old school phishing attacks, Yubico and Google combined a number of advanced security features, listed below, when co-creating the FIDO Universal 2nd Factor (U2F) protocol, to deliver the unphishable key.

Origin bound keys
One of the most common phishing attacks is to trick users to visit and log in to a fake website, where the user gives away sensitive login data and performs a fraudulent transaction. With the increasing sophistication of hackers, it is becoming difficult for most users to see the difference between a fake and a real site. Some fake sites may even include the green light indicating a secure connection and an SSL certificate.

The latest sophisticated phishing attacks, so called man-in-the middle, are even more aggressive: hijacking the communication between the user and service, and automatically redirecting the user to the fake web site.

With the YubiKey and FIDO U2F Security Key, user login is bound to the origin, meaning that only the real site can authenticate with the key. The authentication will fail on the fake site even if the user was fooled into thinking it was real.

Verification of user presence
By requiring a simple human touch to trigger the key to authenticate, the YubiKey and FIDO U2F Security Key verify that the person logging in is a real live human behind the computer, and not a remote hacker, bot, or trojan.

No shared secrets
U2F relies on the concept of minting a cryptographic key pair for each service. This means that the authentication secrets for each service are not shared. By using public-key cryptography, the server only has to store the public key for the user. Furthermore, this enhances user privacy as different sites cannot learn for which sites the user has registered.

Token binding
Token binding is an additional protection supported by FIDO U2F that secures the connection between the browser and the service to prevent man in the middle attacks.

Token binding allows servers to create cryptographically bound tokens (such as cookies, OAuth tokens) to the TLS layer, to prevent attacks where an attacker exports a bearer token from the user’s machine to present to a web service and impersonate the user.Token binding is used by FIDO U2F keys to bind the fido authentication token to the user agents TLS connection with the service.

Native platform/OS support
The YubiKey and FIDO U2F Security Key were intentionally designed so that no additional client software is required. With all the authentication software built into the key, this design brings zero friction for the user. Additionally, this eliminates the vulnerability and risk of compromise that comes from any extra client software that needs to be downloaded to a phone or computer.

Secure backup
Any authentication technology and device can be lost. The affordable hardware-based design of the security key makes it easy for users to setup multiple keys for their accounts. This approach enables secure backups for users at considerably lower support cost compared to using mobile phone authentication technology.

Ease of use
Last, but not least, the unphishable YubiKey and FIDO U2F Security Key were designed to be easy to use and deploy.

All these security features work seamlessly. For the user, it is just a simple touch to authenticate. To further simplify, services and users can choose their own policies on how often they need to authenticate with a security key. With the way Facebook has implemented FIDO U2F, users only need to register and authenticate once per trusted laptop or phone.

Any online service can easily make support for FIDO U2F using Yubico’s free and open source server code, and integration can be done within a few days. Alternatively, U2F can be implemented via Google and Facebook social login. Through this federation model, millions of websites and billions of users globally have access to online identity protection through unphishable security keys.

Learn more about FIDO U2F and social login.

, ,
Talk to our teamTalk to our team

Share this article:
  • FIPS certified vs. FIPS compliant: What’s the real difference?“Is your MFA solution FIPS compliant, or is it certified?”  This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements […]Read moreFIPSNIST
  • 2025 Global State of Authentication survey: A world of difference in cybersecurity habitsIn a world that’s more connected than ever, the landscape of cybersecurity threats is constantly evolving. Bad actors, now supercharged with artificial intelligence (AI), are becoming increasingly adept at exploiting human error through sophisticated phishing and social engineering attacks. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises. […]Read moreGlobal State of Authenticationsurvey
  • Making digital security a right: Inside Yubico’s Secure it Forward programTechnology can be a great equalizer — but only if the strongest protection is within reach. Since 2022, Yubico has donated more than 65,000 YubiKeys to hundreds of organizations worldwide — a retail value of over $3.3 million. Each key helps strengthen digital protection for those doing vital work in their communities. This isn’t just […]Read more
  • Unlocking trust in enterprise security: Yubico and Okta empowering businesses togetherCollaboration with ecosystem partners is critical for providing our customers with the best cybersecurity solutions. Together, Yubico and Okta have achieved remarkable milestones over the years, including launching innovative solutions and aligning our go-to-market efforts – all aimed at delivering the most impactful cybersecurity solutions and user experience for our customers and partners. At the heart […]Read moreOktaOktane