Jump to content

Fido U2F Two Factor Support


Max

Recommended Posts

FIDO U2F is a new standard for 2 factor authentication USB tokens.

 

https://fidoalliance.org/specifications/download

http://googleonlinesecurity.blogspot.nl/2014/10/strengthening-2-step-verification-with.html

https://github.com/Yubico/php-u2flib-server

 

Main advantages over OATH/Yubikey:

 

Link to comment
Share on other sites

Looks interesting, so it doesn't need to communicate with a 3rd party service?

 

Correct.

Uses public key cryptography with separate keys for each site.

 

When the user registers on an u2f capable website the token generates a fresh public/private key pair, and sends the public key to the website, along with a key id.

Upon logging in to the website, the user first enters its username and password as normal.

The website then sends the key id corresponding to the user and a challenge to the token, and -after the user press the button on the token- the token uses the corresponding private key to sign the challenge.

 

In most implementations the key id is actually not really an id, but actually the entire private key encrypted by the token, so that the token does not need storage space for dozens of keys, just for the key used to encrypt/decrypt the private keys.

The u2f standard also has some other clever features like that it restricts keys to a domain, so that if the user was tricked into logging in to a phishing site, the token will not function properly.

 

There are currently some downsides as well.

One is that U2F tokens require two way communication and therefore need browser support.

Only Google Chrome supports them for now.

This is unlike traditional Yubikey tokens which emulate a normal USB keyboard and therefore work with any browser and can be used in other things than browsers as well (e.g. to restrict SSH and VPN access).

Link to comment
Share on other sites

  • 5 years later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...