U2F

YubiKey


What is Yubico Key?

The Yubico Key or Yubikey enables two-factor authentication by using a small hardware device with a single button. In order to use the Yubikey you just have to follow three simple steps:

  1. Sign in using traditional name and password
  2. Insert Yobikey and touch the button
  3. You are now signed in

The Yubikeys adds another layer of security for a more secure login process, such that at least two authentication steps are used.

The Multi-factor authentication (MFA) method specifies that several separate authentication stages are needed in order reduce the risk of online identity theft. These stages of authentication must be based on presenting credentials with three different aspects:

  • Knowledge - Something you know
  • Possession - Something you have
  • Inherence - Something you are

The Yubikey is in your possession so it is something you have, and using it as a second-factor in combination with a username and password will increase the security a great deal, even though not all of the three aspects in the Multi-factor authentication is used.

Fast Identity Online - FIDO

Fast Identity Online (FIDO) Alliance is a consortium of companies in the industry which aims to specify the support for a wide range of authentication technologies of simple usage such as biometrics, security token, Smart cards, NFC and other known authentication technologies.

The FIDO Alliance has two sets of specifications, one with focus on Passwordless Experience (UAF) and one focusing on Second Factor Experience (U2F). Both address a wide range of use cases and deployment scenarios to simplify the authentication experience in an online world.

FIDO has described eight privacy principles to ensure the privacy of the user when using services implemented on the basis of the FIDO specifications. These eight privacy principles are as follows:

  • Require explicit, informed user consent for any operation using personal data
  • Provide clear context to the user for any FIDO operation
  • Limit collection of personal data to FIDO-related purposes
  • Use personal data only for FIDO operations
  • Prevent identification of a user outside of FIDO operations
  • Biometric data must never leave the user's personal computing environment
  • Protect FIDO-related data from unauthorized access or disclosure
  • Allow users to easily view and manage their FIDO Authenticators

Universal Second Factor - U2F

U2F is an open authentication standard that enables secure 2-factor access to web-based services using devices such as mobile phones or keychain devices. The main idea is to instantly grant access to a user on a website with no client software needed.

There is a lot of advantages using U2F authentication some of them are mentioned here:

  • Strong security - Using public key cryptography and native browser support,
  • protects against Man-in-the-middle attacks and eavesdropping.
  • Easy to use - Works out-of-the-box on multiple services
  • High privacy - The user own and control their online identity
  • Multiple choices - Works on existing phones and computers,
  • with different authentication methods like keychain (USB), fingerprint reader, NFC and many more

One of the products that enables U2F is the Yubico Key or YubiKey which enables U2F authentication by using a USB token. The flow for authentication using the Yubico key (USB token) is:

  1. Sign in using traditional name and password
  2. Insert Yobikey and touch,
  3. You are now signed in.

A precondition for the following flows is that the user has already registered for 2-factor authentication using the Yubico key at a given service.

Reference

[1] Yubico, https://www.yubico.com/

Published November 2015

Where Yubikey is used:

  • Google
  • GitHub
  • LastPass
  • More to come..

Reperio | 8000 Aarhus | E-mail: info@reperio.dk | Copyright © 2015