Two-factor authentication gets physical with USB U2F devices
I’ve written a few times about two-factor authentication (2FA), where a password (something you know) is paired with a second item, like a device-generated token or one-time code sent via SMS (something you have). A password can be stolen or sometimes extracted, so a second factor makes it substantially more difficult for someone who lacks physical access to you or your stuff to break into one of your accounts. This restricts attackers from accomplishing wholesale attacks across thousands or millions of accounts, unless 2FA is badly implemented or attackers find an exploit.
While Apple has tried to take the pain out of 2FA through its trusted device approach with iCloud accounts, many people still believe this is too complicated for average users to employ. There needs to be something powerful, simple, and ubiquitously supported, they argue—as do I. Apple’s solution only works for people fully embedded in Apple’s ecosystem and only for some of Apple’s services.
2FA apps, like Authy and Google Authenticator, are good alternatives if you’re in frequent need of a second factor. They’re relatively simple to set up, but they’re still not for everyone. And even though I use such apps every day, I confess that I sigh as I walk through the several straightforward steps to pull up the necessary app and then type in a confirmation factor.
A new hope
There’s hope for even greater simplicity, though, from the wonkily named FIDO Alliance U2F standard. FIDO (Fast IDentity Online) comprises a group of security, hardware, and online finance companies trying to set broad standards for better authentication; U2F stands for Universal 2nd Factor. U2F is built into hardware, like a USB dongle, that contains cryptographic hardware to provide the second okey-dokey for a login or session.
A U2F device is registered to a service or website, just like setting up code-based second-factor verification. The cryptographic handshake during registration ensures that only the key in the U2F device can be successfully used to answer a second-factor challenge in the future. In two versions I tested from Yubico, a hardware authentication device maker that is out in front on this technology, the circuitry is also tamper-resistent and its firmware can’t be updated.
Instead of a keyfob or card that generates a time- or sequence-based key on a display that you then type in, a U2F key is plugged into the USB port of your device, such as a laptop, when you’re going to log into an account. In some cases, plugging in the device is enough; with other devices, you may need to tap a button to send the information.
Yubico accomplishes this without drivers by masquerading its keys as USB keyboards. The OS recognizes the device, but then an app has to know how to communicate with the key to handle the right back and forth to accept the verification token. For mobile devices, this means a USB adapter for a standard Type A plug is needed.
Yubico’s keys, the Premium Neo ($50), the Premium Neo-N ($60), and the FIDO U2F Special Security Key ($18) have a integral button. The Premium Neo includes NFC. (Yubico hopes Apple opens up its NFC support to allow direct NFC validation.) I tested the Neo-N and Special Security Key. The Neo-N is so tiny it’s quite difficult to pull out of a deep USB port, and the Special Key has a keychain hole for ease of carrying.
So far, there’s little support as the standard and hardware are new, but Google is a backer of the spec, and lets you substitute a U2F key for other second-factor methods of authentication with a Google account when used via the Chrome browser in Mac OS X and on other platforms.
U2F is very easy to implement, from all reports, and the broad participation in the FIDO Alliance’s board by major firms means both the likelihood of wider support. Allowing U2F as a second factor doesn’t close down other options for authentication. (Yubico has other key types that simply simulate typing a password, and which work more universally; some of its U2F-supporting hardware includes that functionality.)
A U2F key can be registered to multiple accounts and it can’t be password protected. So it’s as useful as an app, in that only a single piece of hardware is required to generate appropriate codes for multiple accounts. But it’s as vulnerable as a security dongle, since mere possession obliterates the second-factor advantage. Someone who physically obtained your U2F key would still need your password or other first factor. An app or computer-based second factor can still be better, by requiring an ostensibly different password to unlock a computer or mobile device before obtaining the second factor.
Will U2F keys sweep the land? It’s hard to imagine them becoming a required item on every keychain, but I dare say that they are so much simpler to use than anything currently outstanding, that they should sweep in another broader circle of users who won’t be bothered with today’s methods. If Apple opens up NFC access as is generally anticipated, such keys can become a touch-and-go second factor with even less fuss.
An update on Touch ID and compulsion
In my first Private I column, I mentioned that Touch ID had a problematic component: you could be compelled to unlock a device, either by force or by law. “An individual or agent of others who want some of your information must only get ahold of your device, ensure it hasn’t been rebooted, and then be able to hold an appropriate digit still for long enough to validate one’s fingerprint.”
A few weeks later, a circuit court judge in America ruled that while one’s own passwords were cannot be demanded during an investigation, as that is a form of self-incrimination and constitutionally protected, a fingerprint is not, even if it unlocks your data.
While that is one just one court, its decision is in line with more generally accepted notions that DNA, blood, and the like doesn’t constitute self-incrimination.
Glenn Fleishman is the editor and publisher of The Magazine, a regular contributor to Boing Boing and the Economist, and a senior contributor to Macworld.