Updated Oct. 10, 2016 to include U2F support added to Opera browser, Salesforce
Creating standards is hard work that only sweetens when the market starts to arrive and validate the effort with real world deployments.
On June 22, Bitbucket, GitLab, and Sentry all released support for FIDO U2F strong authentication in their cloud-based products. None of these companies are members of the FIDO Alliance or had an investment in developing U2F. Their sole motivation was finding and adopting the best authentication technology to help users protect their accounts. U2F’s public key crypto topped the list.
A month earlier, Compose, an IBM company offering hosted databases, also added U2F to its security feature list. This week, FastMail ushered its users into the U2F strong authentication revolution.
Again, neither had an investment in FIDO’s creation, but both recognize what’s become obvious to Dropbox, GitHub, Dashlane, Salesforce.com (adopted Oct. 2016), and Digidentity/UK Government (the UK recently joined FIDO, but the others are not members). U2F provides an environment for strong authentication that thwarts man-in-the-middle-attacks, can’t be phished, and is easy-to-use.
Yubico is delighted , of course, that all these organizations are using U2F-compliant YubiKeys. There is also free and open source server code that Yubico and Google make available on GitHub (Google reference code, Yubico Server Libraries). But more important, these companies are validating FIDO Alliance protocols and the value of open, strong second-factor authentication.
These companies are not the only ones joining the U2F ecosystem. In fact, we first outlined an initial surge in U2F adoption 18 months ago.
Today, the market has taken on a new vibrancy as companies recognize that strong authentication provides security that counters the fallout from the unprecedented swell of password breaches. U2F authentication is a key security component for consumer-facing Web applications and existing identity and access management environments within enterprises. These traits are coupled with adopters who find implementation requires less than a day’s worth of work.
Here is a list of the key platforms for U2F:
Browser support:
Google’s Chrome browser has long been the lone platform for U2F, but that has changed. The Opera browser (version 40) began supporting U2F in late September 2016. In addition, Mozilla hopes to wrap up in late 2016 U2F support in the Firefox browser with features on parity with Google’s U2F implementation. In fact, the two have been consulting on this work with each other and the Yubico engineering team. In addition, Mozilla plans to eventually support the WebAuthn APIs being developed by the World Wide Web Consortium (W3C) for secure browser log in. Those APIs also factor into a more complete FIDO strong authentication ecosystem. Microsoft’s Edge browser also will support those APIs when they are finalized (projected early 2017). Edge plays a pivotal role in the company’s Windows 10 Hello authentication system, which accepts a number of strong authentication types including U2F authenticators.
Cloud services:
Google added U2F support in the fall of 2014, and was followed by Dropbox, PushCoin, and GitHub in 2015. Dashlane, Bitbucket, GitLab, Salesforce, Sentry, Compose, and FastMail added support in 2016. For a detailed list, check the Yubico U2F page.
IAM software and services:
In 2015, StrongKey, Gluu, and RCDevs added U2F support in their platforms. Digidentity added U2F in 2016 as part of its partnership with GOV.UK Verify.
What’s next
FIDO is far from finished innovating. The Alliance donated a set of FIDO Web APIs to the W3C in late 2015 for formal standardization, which should be completed early next year. The APIs, coupled with forthcoming FIDO 2.0 features, improve Web-based security, add native platform support (Windows, Android, etc.), and include capabilities such as device-to-device authentication that uses FIDO’s public key cryptography. There are a host of new efforts developing in 2016, including FIDO coupled with identity federation to secure native applications on desktops and devices.