Google publishes two-year study on use of FIDO U2F Security Keys

February 25, 2016 3 minute read
FIDOSTEPS

Key words often associated with two-factor authentication focus on simplicity, privacy, and security. Those words, however, are broad terms that need definition in order for consumers and enterprises to form opinions and make educated buying choices.

FIDO Universal Second Factor (U2F) is no different, so Google recently published a research paper titled “Security Keys: Practical Cryptographic Second Factors for the Modern Web” to quantify the benefits the internet giant found in using U2F-based two-factor authentication.

The paper outlines Google’s use of FIDO U2F-based Security Keys, manufactured by Yubico, to harden security, improve user satisfaction, and cut support costs.

This data is far from anecdotal. It represents two years of research. The results, as compared to other two-factor authentication schemes tested by Google, showed the Security Key is simple to implement and deploy, easy to use, preserves privacy, and is secure against attackers.

Here are some eye-opening conclusions from Google’s research on its Security Key rollout:.

  • Users reduced, by nearly two-thirds, the time to authenticate with a Security Key as opposed to an OTP via SMS. Most of that time is based on the efficiency of the user since authentication executes in milliseconds.
  • In Google’s rollout, authentication failures fell to zero. The company’s support department estimates the switch from OTP tokens to Security Keys saved thousands of hours per year in cost. These efficiencies allowed Google to give each employee two Security Keys and still realize overall cost reductions.
  • Security Keys met other Google requirements that mandated simple APIs for developers, no user tracking, no identifiable user information on token as well as  protection against password reuse, phishing and man-in-the-middle attacks.

To date, the devices have been deployed to 50,000 employees, and Google reports “our users have been very happy with the switch: we received many instances of unsolicited positive feedback.”

Other technologies referenced and reviewed by Google included OTPs, mobile phones, smart cards, TLS client certificates, and national ID cards. Their research includes a comparison chart of second-factor options based on a respected usability framework published in 2012 by another group of researchers led by Joseph Bonneau, currently a researcher at the Applied Crypto Group at Stanford University.

The paper also spends a significant number of pages describing the technical underpinnings of Security Keys and how they relate to the larger concepts of simplicity, privacy and security.

Research conclusions point to immediate gain from Security Key deployments, but the findings are being offered as a starting point. “We hope this paper serves as an academic foundation to study and improve Security Keys going forward,” Google wrote.

In addition to those stats, Google has publicly presented other figures that compare Google Authenticator and Security Key. Google studies show the Security Key login process was four times faster compared to Google Authenticator (their mobile authentication app), and that use of U2F and public key crypto results in significant fraud reduction.

Share this article:

Recommended content

Google Accounts and YubiKeys Get Started

Set up a YubiKey to secure your Google Account within minutes to protect your account.

AWS Expands YubiKey Support with AWS SSO WebAuthn Integration

Another win for FIDO at the heels of its first industry conference, Authenticate 2020.  AWS Single Sign-On (SSO) has introduced native WebAuthn support to secure user access to AWS accounts and business applications using strong, FIDO-based multi-factor authentication (MFA) with YubiKeys.  Broader choice of authentication methods by AWS SSO is a win for modern authentication that has historically ...

Getting a biometric security key right

Today, we are excited to share some updates regarding the next highly-anticipated members of our YubiKey family: the upcoming YubiKey Bio in both USB-A and USB-C form factors. The YubiKey Bio will be the first product to introduce biometric capabilities (in addition to PIN) to our portfolio of YubiKeys.  Yubico has been considering adding biometrics ...