Blog

Do you have U2F (Universal 2nd Factor) enabled for your company?

Many of the organizations we consult with have universal 2-factor authentication for their employees disabled. The reasoning behind the decision usually stems from upfront costs, privacy concerns, and user usability. Not having it enabled opens the organization to account takeovers through phishing attacks. However, there have been significant advancements in those areas by Universal 2 Factor (U2F) solutions.

What is the Definition of U2F?

U2F (Universal 2nd Factor) is an authentication standard that uses one key for multiple services. It simplifies and elevates the security provided by 2FA (two-factor authentication).

The U2F protocol allows you to send a cryptographic challenge to a device (typically a key fob) owned by the user. A password starts the process, but the digital key is required to gain access.

The FIDO U2F protocol was developed in 2014, and since then, the standards have been honed, refined, and updated. More users are growing accustomed to the idea of cryptographic keys. Some even demand this protection to keep their data safe and secure.

In simple terms, a U2F process looks like this:

• Password: The user heads to a website and enters a username and password recognized by that site.

• Challenge: With the appropriate username and password recognized, the system sends a challenge to a key that the user has plugged into a USB port. The communication is encrypted during transport.

• Response: The key lights up or otherwise acknowledges that the challenge has been received. The user presses a button to finalize the connection.

FIDO rules specify asymmetric cryptography. Sensitive data remains on the device at all times. Additionally, the USB works with the host via a human interface device (HID) protocol, so users don't need to download a driver or software to make things work.

Users are cautioned to keep a spare security key available at all times. If it's lost, it's very difficult for users to gain access to protected resources. Security is crucial in the U2F environment, rather than user convenience, so people simply must be careful with the keys once they're authorized.

Most keys aren't Bluetooth enabled, so they don't require batteries or maintenance. Plug them in properly, within a USB port, and they will keep working until destroyed. They can't be cloned, as the private information on the key can't be extracted.

How Does Two-Factor Authentication Work?

Deploying two-factor by sending a push notification through a mobile application, or an SMS/email with a code the employee needs to input or accept have been the traditional strategies utilized by some organizations. These deployments have additional costs and privacy implications that many organizations wish to avoid. Below are the implications with the conventional implementations:

• Employees require a mobile device with data to receive a notification or email

• Employees aren’t comfortable with having the organization enact additional security controls on their mobile devices (e.g., mobile device management policies that can wipe devices)

• Usability can be costly and difficult to understand

Additionally, the deployments still contain the risk of a malicious entity bypassing the two-factor authentication control through a social engineering attack.

Take a look at how fast and easy an attack against two-factor can be in this short 4-minute video.

The Case for U2F Security

To combat all of these risks and implications, Google and Yubico developed the Universal 2nd Factor (U2F) standard which is now hosted by the FIDO Alliance. U2F allows for the use of hardware security keys that will enable users to log in by just pressing a button on the hardware key. Google has used U2F since early 2017 and has not had any successful phishing attacks conducted across its 85,000+ employees since deployment. Google has been using the Yubico Security Keys but has recently begun developing their own Titan Security Keys.

U2F protects against session hijacking, man-in-the-middle, and phishing attacks by ensuring communication is encrypted and only established with the real website. It is also currently compatible with all major web browsers except Microsoft Edge, which as of May 2018 has been announced to be in development. Acceptance for U2F is beginning to ramp up with companies such as Microsoft and Google being the early adopters of the standard for their authentication mechanisms. For a full list of U2F-compatible services, you can visit DongleAuth.

The many advantages of U2F will allow organizations to consider its deployment. Not only is it more secure and easy to use, but it also costs roughly $20 a device. If you’re worried about phishing attacks, consider deploying a U2F solution that will protect your most critical assets.

Conclusion

In today's modern threat landscape, having a strong foundation is critical. Does your organization have U2F enabled for two-factor authentication yet?