In an era of constant cyberthreats, enterprises are looking to beef up their security posture. A strategy being used by more and more companies is multi-factor authentication (MFA).
One of the most secure authentication methods is Fast Identity Online (FIDO) Universal Second Factor (U2F), an emerging universal standard for tokens with native support in platforms and browsers.
FIDO U2F is supported by the FIDO Alliance and has been deployed by large-scale services, including Facebook, Gmail, Dropbox, GitHub, and Salesforce.com. Additionally, FIDO U2F is an open authentication standard, which means that it is publicly available and has various use rights associated with it.
How FIDO U2F Works
FIDO U2F tokens enable users to quickly and securely access any website or online service that supports the FIDO U2F protocol using a single device.
To authenticate, a user simply inserts a universal serial bus (USB) token into any port. Then, the user presses the U2F token button and enters his or her password or PIN.
There are a number of benefits to using FIDO U2F for MFA, including:
FIDO U2F is a physical MFA method that cannot be intercepted or redirected. It is also not vulnerable to phishing attacks because the USB key only works with sites with which the user has registered. Additionally, it protects against session hijacking, man-in-the-middle, and malware attacks.
If the USB token is lost or stolen, there is no username information to be obtained. Therefore, it’s impossible for an attacker to determine who it could be used for and on which apps.
In addition to the security benefits outlined above, FIDO U2F enables secure recovery. Users can register two U2F devices with every service provider, in case one device is misplaced. Service providers can also supply the user with a backup code that can be stored in a safe place.
One compelling use case for FIDO U2F is passwordless account recovery. For example, giving employees a FIDO key along with registration for another method, such as mobile one time password (OTP), when they are onboarded. Employees would then be instructed to lock the FIDO key away somewhere safe and use mobile OTP daily.
Eventually, if an employee’s primary method becomes unusable—such as a mobile phone needing to be replaced—the user could then get their FIDO key and use it to log into a self-service portal to manage authentication methods. From there, the user could enroll a new primary authentication method. The FIDO key would then go back into the safety deposit box.
Easy to Use
FIDO U2F works out of the box with native support in platforms and browsers. Because FIDO U2F is a hardware-based authentication, there is no need to enter codes or install drivers. Furthermore, a single token can have keys for many different sites and apps, so there’s no need for an individual to have multiple tokens.
This ease of use makes FIDO U2F an attractive option for young students who have trouble remembering passwords. Teachers can provide an enrolled FIDO U2F key at the beginning of each class that students can use to access their online resources.
Strong Privacy Protections
With FIDO U2F, users can choose and control their online identity. Users can choose to have multiple identities or even keep their identities anonymous with no personal information associated.
Additionally, U2F devices generate a new pair of keys for each service. Only the service stores the public key, so no secrets are shared between service providers.
These privacy protections make employing FIDO U2F as a hardware authentication method on public or shared computers a smart choice. After all, login is secured by the device, nothing is cached, and the token can be carried around once the user logs out.
FIDO U2F is interoperable and is backed by leading internet and financial services firms.
Flexibility in Choice
Finally, FIDO U2F is designed for many authentication modalities, such as keychain devices or integration directly into computing devices.
As with any authentication method, FIDO U2F does have limitations that must be taken into consideration.
Not Widely Supported
Because FIDO U2F is a relatively new authentication method, it is not supported by many websites. In addition, Chrome and Firefox are currently the only browsers that support U2F.
It can be costly to purchase the tokens ($10 to $20 each). While not a high cost when looked at individually, this can quickly add up for a large organization. On the other hand, there is low cost per user because a single token can have keys for many different sites and apps.
Have to Carry a Token
Another drawback is that the user has to carry around a token, which could be forgotten or lost.
Wear and Tear
For enterprises, the daily use of the U2F tokens can lead to premature wear and tear on USB ports.
In sum, FIDO U2F offers very strong security and privacy. It is a newer MFA method that overcomes many of the security flaws of other methods, making it one of the most secure and easy-to-use methods available today.
However, FIDO U2F is still fairly new and not as widely supported as more mature authentication options. There is also hardware cost associated with each token.
Is FIDO U2F right for your MFA needs? That depends on your security priorities. However, we expect it to continue to gain support and adoption with prevalence of sophisticated security breaches driving organizations to seek more secure authentication methods.