How the FIDO Alliance's U2F could simplify two-factor authentication

A USB key drive or other small device could become a convenient, yet safe, authentication tool

We've had enough malware campaigns and data breaches to confirm the need for better data protection online. The Universal 2nd Factor (U2F) standard is a step in the right direction, and the first compatible devices are coming out now.

U2F is an open authentication standard. It was initially developed by Google, but it's now managed by the FIDO (Fast Identity Online) Alliance. The FIDO Alliance also includes household names like Microsoft, Mastercard, Visa, PayPal, Discover, Samsung, and BlackBerry among its members.

Two-factor, or multi-factor authentication has long been promoted as a more effective security mechanism, but it's a hassle, requiring you to juggle passwords with a second factor such as a texted code or an authentication app. U2F proposes to streamline the process using a U2F-enabled USB or NFC key fob, card, or mobile device alongside traditional authentication methods. All you have to do is use a Web browser with built-in support and native drivers.

Users must first register the U2F device with sites or services that support U2F authentication, such as webmail, or banking sites. You must insert the U2F device into a USB port, enter your traditional username and password credentials, and then touch the U2F device to generate secure login credentials. Because successful authentication relies on interaction with the U2F device, U2F protects against common attacks like session hijacking, man-in-the-middle attacks, advanced Trojans, and other malware.

Yubico and Plug-up are the two primary providers of U2F-enabled devices. Today, Duo Security announced that it joined the FIDO Alliance and now offers U2F support in its FIDO-ready products. Duo Security provides cloud-based two-factor authentication for more than 5,000 companies around the world, including Facebook, Toyota, Sony, and Etsy. With Duo Security committing to the FIDO Alliance and supporting U2F, Duo Security customers will now be able to support U2F as well.

Google revealed that it now supports U2F as part of the two-factor authentication for Google sites and services. It also announced that the Chrome Web browser supports U2F authentication. Chrome is available for ChromeOS, Windows, Mac OS X, and Linux, so U2F protection is accessible to users on every major platform.

Two things make U2F a more effective approach to two-factor authentication, and more likely to succeed in gaining mainstream acceptance. First it's an open standard, so it's easier for organizations to implement it. That means that a user with one U2F device can take advantage of two-factor authentication across a potentially vast array of sites and services.

The second factor that will drive the success of U2F is its simplicity. Granted, touching the U2F device is still less convenient than just entering a username and password, but when it comes to two-factor authentication it doesn't get much simpler than that.

The FIDO Alliance and its U2F standard are young, but they can boast major supporters in the tech and financial worlds. As more household names join the party and support U2F authentication, it could emerge as a widely accepted standard for two-factor authentication.

As of right now, the only Web browser that supports U2F is Google Chrome. With Microsoft on board as a member of the FIDO Alliance, though, it seems reasonable to expect Internet Explorer to support U2F in the near future.

Join the CSO newsletter!

Error: Please check your email address.

Tags identity managmentDuo Securitytwo-factor authenticationsecurityvisaMicrosoftpaypalphishingBlackberryFIDO AllianceGoogle

More about BlackBerryFacebookGoogleLinuxMastercardMicrosoftNFCPayPalSamsungSonyVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place