U2F, OIDC mix widens authentication options

The Universal Second Factor (U2F) protocol from the FIDO Alliance is an interesting authentication story on its own, but even more so when coupled with another emerging standard called OpenID Connect. With the pair, you can solve more authentication challenges than either could on their own.

U2F provides a way for users to authenticate to sites using a hardware cryptographic device. It does this by using public key cryptography, but without the problematic infrastructure of legacy PKI systems. A new key pair is generated for every service that the user connects to, offering a secure and privacy-preserving authentication system. U2F support is included on all but one version of Yubico’s Yubikeys.

However, this isn’t quite the whole story. The U2F protocol on its own doesn’t actually identify any particular user, it merely proves  someone has the device with control over a registered key. The user’s identity is intentionally left out of the U2F process, and it must always be bound to some kind of user account for it to represent a person.

OpenID Connect (OIDC), on the other hand, is an identity federation protocol that is in use across the internet. Built on OAuth 2.0, OIDC lets users log into a website using an Identity Provider (IdP) service. This approach lets users leverage one account across a multitude of sites across the web and gives people control over which attributes of their identity are asserted and to whom in a secure and privacy-controlled fashion.

However, this isn’t quite the whole story either. The OIDC protocol doesn’t authenticate the user but rather conveys that authentication across the network. OIDC still requires that the user authenticate at the IdP, somehow. This could happen with a username and password, a certificate, a hardware token, or any number of other things.

So we’ve ostensibly got two authentication protocols, but authentication is a many-faceted thing. Each of these protocols addresses a slightly different take on authentication, intentionally leaving gaps to be filled by other technologies and components. The good news is we can combine U2F and OIDC to solve an even wider array of challenges than either can address alone.

For instance, an OIDC IdP could use a U2F device as part of its primary authentication mechanism for its users. This approach allows the user to strongly protect the primary identity they use all over the web. Alternatively, or even additionally, the OIDC and U2F protocols can be used in parallel. With this option, OIDC acts as a user’s primary login to a service, but a U2F device is registered on top of this federated login for additional protections that the service itself can check.

Want more details? We’ve put together a whitepaper that compares and contrasts U2F and OIDC, and gives more information on how they could be used together, both today and in the future. This whitepaper is freely available for download under a Creative Commons license.

Justin Richer is a guest blogger. He is a consultant at Bespoke Engineering, a disruptive technologist, and open source and standards advocate.

Talk to our teamTalk to our team

Share this article:


  • Works with YubiKey Spotlight: Passkeys are here – are you ready?With 2025 at its midpoint, enterprises worldwide are grappling with how to protect their users and data against emerging challenges around user security. Since 2022, generative AI has fueled a 4,000% surge in phishing – exploiting human vulnerability in 68% of breaches. It’s no longer a question – the world has a password problem that […]Read morepartnerspasskeysWorks with YubiKeywwyk
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselUm sich auf die sich ständig weiterentwickelnden Cyber-Bedrohungen vorzubereiten, passen Regierungen weltweit die Authentifizierungsanforderungen für Online-Dienste an und aktualisieren sie, was direkte Auswirkungen auf viele Unternehmen und deren Mitarbeiter hat. Zwar gibt es derzeit keine universelle Regelung für eine robustere Multi-Faktor-Authentifizierung (MFA), doch wird deren Notwendigkeit in einer Reihe von Anforderungen hervorgehoben, darunter PSD2, DSGVO […]Read moreYubiKey
  • Yubico delivers PIN advancements with new YubiKey 5 – Enhanced PIN keysTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreCompany NewsProduct NewsYubiKeyYubiKey 5 – Enhanced PINYubiKey 5 SeriesYubiKey as a Service
  • An inside look at Yubico’s transition to passwordlessBefore “passkey” became a familiar term in our industry, Yubico had long delivered hardware-backed and phishing-resistant FIDO2 based authentication. Today, the adoption of passkey usage is accelerating. However, it’s taken quite a bit longer to integrate passwordless authentication into the everyday, enterprise-grade authentication flows that are required for today’s businesses.  As long as it’s been […]Read moreOktapasswordless