The FIDO Alliance started as an answer to the security problems of typical username/password login method. Passwords are viewed as not secure in the current age of digital security. Despite that, there have been a few barriers to the adoption of different and better authentication services. In the past, consumers did not enjoy their user experience (UX) with alternative authentication services. The main barrier has been that online companies and service providers did not want to take on the costs and technical expertise associated with building and implementing their own digital security and authentication systems.
The FIDO Alliance was created to end the world’s reliance on passwords as the standard authentication method. The alliance exists as an open industry association, and its goal is to foster a more secure and smoother authentication process, both for service providers to supply for consumers as well as for consumers to more comfortably authenticate.
What is FIDO and U2F?
U2F is an open authentication standard that enables keychain devices, mobile phones and other devices to securely access any number of web-based services — instantly and with no drivers or software needed. U2F was created by Google and Yubico, with contribution from NXP, and is today hosted by the open-authentication industry alliance FIDO. The technical specifications were launched in late 2014, including native support in Google Accounts and Chrome, and have since resulted in a thriving ecosystem of hardware, software and service providers.
FIDO universal 2nd factor (U2F) is a relatively new open authentication mechanism that allows users to access a variety of online services and features with a single hardware security key. U2F provides immediate access to secure online services without the need of installing any drivers or of software purchased or downloaded from a client.
Why FIDO U2F?
SMS text messaging is very insecure as a Two-Factor Authentication. Hackers nowadays can easily call up your phone provider and pretend to be you. They do not need to prove any identity. All they need to do is convince the employee that he is you. And some hackers are really good at this. It is currently the weakest link that exists, and regular people still do not understand the risks involved.
One of the biggest Blockchain VC’s, Bo Shen had over $300,000 stolen recently by a hacker using this same weak link: SMS text messaging. It is a huge problem right now that many people are unaware of.
With FIDO U2F, any hackers who wants to disguise as you to steal your personal data or your bank account money will require them to have access to your hardware security key, which in this case it nearly impossible for hackers to do that. Having a FIDO U2F Security Key will ensure that your account will be fool proof and safe from hackers.
How FIDO U2F Work?
FIDO U2F Token Registration:
- The user is asked to selection one of several FIDO authenticators that are a part of a service’s acceptance policy.
- The user accesses the FIDO authenticator using an authentication factor such as a secure PIN, a key on a second-factor device, a fingerprint, or another factor.
- A special public/private key pair is created that must be used with the authenticating device, the relevant online service and the user’s account.
- The private key and other local authentication mechanism information, like biometric data, is kept on the local device. The public key is used to link the user’s account with the relevant online service’s systems and features.
FIDO U2F Token Verification:
- The user is challenged by the online service to properly login with a previously registered device that adheres to the online service’s acceptance policy.
- The user unlocks the FIDO authenticator with the same authentication factor used during the registration process.
- Using the account identification information provided by the online service, the local device picks the proper key and digitally signs the challenge of the service.
- Lastly, the device transmits the signed challenge to the online service, verifying the information with the stored public key, which results in the user being logged into the account.
Advantage of FIDO U2F
Strong security — Strong two-factor authentication using public key crypto that protects against phishing, session hijacking, man-in-the-middle, and malware attacks.
Easy to use — Works out-of-the-box thanks to native support in platforms and browsers including Chrome, Microsoft Edge, and Mozilla, enabling instant authentication to any number of services. No need to type any codes or install any drivers.
High privacy — Allows users to choose, own, and control their online identity. Each user can also choose to have multiple identities, including anonymous, with no personal information associated with the identity. A U2F Security Key generates a new pair of keys for every service, and only the service stores the public key. With this approach, no secrets are shared between service providers, and an affordable U2F Security Key can support any number of services.
Multiple choices — Open standards provide flexibility and product choice. Designed for existing phones and computers, for many authentication modalities, and with different communication methods (USB and NFC).
Cost-efficient — Users can choose from a range of affordable devices online. Yubico offers free and open source server software for back-end integration through the Yubico Developer Program.
Example of a FIDO U2F Product:
THE BEST SECURITY KEY FOR MOST PEOPLE: YUBIKEY 5 NFC
Yubico YubiKey 5 NFC — which uses both a USB-A connector and wireless NFC is the best Security key for logging into your online accounts, services, macOS computers, Android devices, and the iPhone 7 and up.
The key itself is “made in the USA and Sweden,” and comes packaged in a simple cardboard and plastic container. It has a single, easily identifiable gold disk for you to press when you want to confirm your sign-in and includes a keyhole ring to use with a keychain, so you don’t lose your valuable security key. It is also incredibly durable, waterproof, and crush resistant.
Yubico sells the individual YubiKey 5 NFC keys individually, as part of a two-pack, a 10-pack, or a whole set of 50 if you need that many security keys for a team.
THE BEST SECURITY KEY FOR USB-C USERS: YUBIKEY 5C
Yubico also makes a USB-C compatible security key that works with the same OTP, Smart Card, OpenPGP, FIDO U2F, and the FIDO2 standards as the USB-A version, but without the NFC connectivity. Another trade-off: the YubiKey 5C costs more than the NFC version. But if your desktop system or Android phone uses a USB-C port, this is your best Security Key for you.
Unfortunately, the 5C does not support iOS devices, which require a Lightning port. According to Yubico, the company is planning to release a Lightning security key sometime later this year.
The 5C key is water-resistant, but incredibly tiny and easily misplaced, so you should attaching it to a keychain.
The Other Contenders
THETIS FIDO U2F SECURITY KEY
Picture taken from: https://thetis.io/collections/fido2/products/thetis-fido2-security-key
- Aluminium alloy casing rotates 360 degrees, protecting USB connector
- It cheaper than the other keys
- Turning the casing is tough to move at first
- Cannot be used on Mobile Devices
Google Titan Key
Picture taken from: https://cloud.google.com/titan-security-key
- Includes two keys (one USB-A, one Bluetooth)
- Both keys are small and can be attached to a keychain
- Bluetooth takes some time to set up
- White paint easily chips off on the Bluetooth module
U2F is a physical key that you put into a USB port on your computer. You put this in after inputting your password. The U2F device uses encryption, as it contains a private key that is matched up to your public key in order to unlock your accounts like Gmail and Facebook. Without the physical key, no one can access your account. So, hackers, and even key loggers will not be able to steal your passwords because the U2F encrypts the data.
It is overwhelming to do this the first time, but once you do, you will be able to sleep at night. Hackers are just getting more advanced and sneakier over time, so the sooner you get one of these physical U2F keys, the better! Cars and houses need physical keys, so do your accounts too!
To find out more additional information about YubiKey, please go to our Website at https://dtasiagroup.com.hk/yubikeys/ or if you have any enquire about Yubikey, please contact us and also visit our DT Asia HK Facebook at https://www.facebook.com/dtahongkong/ to find out more.