U2F, OpenID Connect Align For Mobile Authentication

A year ago, Yubico described a cord-cutting mobile world where hard-wired ports were not needed to accommodate the security benefits of strong authentication.

Since then, growth in the mobile device market has continued its explosion, including 1.4 billion smartphones shipped worldwide in 2015, according to IDC.

Couple this development with standards work by the FIDO Alliance, Yubico, Google, and the OpenID Foundation and cord-cutters can start to see mobile security options — such as a single sign-on (SSO) experience and strong authentication to secure native apps — on mobile devices.

The power of OpenID Connect plus FIDO U2F

OpenID Connect and FIDO Universal 2nd Factor (U2F) are capable authentication technologies on their own, but when paired can solve more authentication challenges than either could on their own. For example, Google recently contributed a code project called AppAuth for both Android and iOS to the OpenID Foundation’s Connect Working Group. The code is used to maintain a state on the browser that provides an SSO-like experience to users of native mobile apps. Google’s AppAuth implementation for Android supports strong authentication to an identity provider using the YubiKey NEO, its Near Field Communication (NFC) function, and its U2F support.

A discussion of AppAuth’s capabilities and a demo of its incorporation of YubiKey NEO with NFC can be seen in this video from the March 2016 OpenID Foundation Summit. (Advance to 2:47:29 in the video.)

“[AppAuth] is important as it is the first real chance we have had for a standard to do SSO across native apps, and also make it easier for IdPs to support multi-factor authentication like FIDO without the ISV needing to support app wrapping or producing many customised versions for each deployment,” said John Bradley, an identity expert and officer of the OpenID Foundation.

Authentication via NFC is growing

Yubico’s support for NFC in the YubiKey NEO allows a tap of the key against a smartphone to release a one-time password (OTP) or FIDO U2F-based public key cryptography. Today, you can use YubiKey’s NFC feature with password manager LastPass (OTP) and development platform GitHub (U2F).

In parallel, Yubico engineers and other members of the FIDO Alliance are finalizing specifications and certification testing tools for U2F over Bluetooth transport. Challenges in pairing and security with Bluetooth has delayed progress, but we expect certification testing before June and to see certified U2F-over-Bluetooth authenticators later this year.

While the majority of enterprises will continue to access sensitive applications and resources from hard-wired laptops and desktops, secured mobile computing is the new carrot.

Mobile devices have become a de-facto connecting point, having moved from a demand to an expectation, and they are opening an array of new use cases and security questions. We are committing resources to stay in front of these user cases and minimize security issues.

These efforts are helping drive independent groups working on identity, authentication, and authorization standards to seek richer capabilities by combining their work such as the OpenID Foundation (OpenID Connect), the IETF (OAuth 2.0), and the FIDO Alliance. YubiKey is no stranger to this trend toward open protocols and open standards, given our ongoing commitments in this area.

All this is happening as mobile, protocols, and strong authentication are seeking the benefits of standards work. This convergence will produce the technologies that keep mobile users and their applications safe on their devices.

Talk to our teamTalk to our team

Share this article:


  • Navigating the PCI DSS 4.0 transition and meeting compliance with phishing-resistant YubiKeysIn just a few days, on March 31, 2025, decision makers in industries that involve payment processing – including financial services, retail & hospitality and telecommunications – are tasked to finalize the transition to Payment Card Industry Data Security Standard (PCI DSS) 4.0. This deadline marks a critical juncture for all organizations handling payment card […]Read moreNISTPCI DSSPCI DSS 4.0
  • Building cyber resilience with Yubico and MicrosoftIn today’s digital landscape, cyber threats are evolving at an unprecedented pace: every second, a phishing attack takes place. In fact, over 80% of these attacks are the result of stolen login credentials and almost 70% of phishing attacks relied on AI last year alone. Recent data from Microsoft Entra also reveals a staggering increase […]Read moreMFA mandatesMicrosoft
  • Yubico’s commitment to innovation: Phishing-resistance as a cornerstone for cyber resilienceAs phishing attacks have reached an unprecedented level of frequency and sophistication, enterprises must prioritize authentication that is phishing-resistant – regardless of the business scenario, platform or device users are working with. This is why Yubico prioritizes consistent product innovations that deliver on our customer’s needs for modern, phishing-resistant authentication solutions that enable businesses to […]Read more
  • CEO Corner: Wrapping up a strong year, and looking ahead to 2025 and beyondIt’s no secret that 2024 was a big year of growth for Yubico, highlighted across many notable achievements by our team and increasing demand from our customers. As discussed in my previous post, following a transformative year driven by key cybersecurity trends like passkeys and AI, the year culminated in the significant step of Yubico […]Read moreCEOEarningsMattias Danielsson