Fido U2F 2-factor authentication key released by Yubico

Discussion in 'privacy technology' started by deBoetie, Oct 18, 2014.

  1. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Best section I could find for this...

    Yubico has released a Fido alliance standard key for doing 2fa, in 2 form factors (at $50/$60 each). These are similar to existing keys which do static, HMAC-SHA1, OTP, plus NFC and certificate based authentication.

    https://www.yubico.com/press/press-...ort-fido-alliances-universal-factor-protocol/

    The Fido alliance is at

    http://fidoalliance.org/

    and includes Paypal, Mastercard and Google. Google has been using them internally for a while.

    The standard username/pin login is used, and the server can demand physical presence (a button press) to ensure the person is there.

    Apart from their security implications, these standards appears to offer improved privacy because the user owns the keys on the device and it is NOT shared amongst different sites (so they cannot trade identities).

    I do not know how you recover or duplicate the key yet, I'll report back if I start using them.

    I could not see any important real-world sites supporting this authentication yet, but will use in a trice if available - miles better than an SMS message from both a security and privacy basis.
     
  2. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    What's the difference between this and the Yubico keys up until now?

    The yubico keys seem interesting but sadly, I don't know many services who support them.. Everyone seems to support "google authentication" but sadly I don't own a smartphone!
     
  3. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Well the original Yubikeys support various forms of OTP, and can be made to support TOTP with helpers (like on a PC) - it has no on-board clock, which I like because it means no battery. The applications of this OTP support include Symantec VIP variants, the Yubico OTP (with support for Salesforce.com and Lastpass for example). Google Authentication using OAUTH TOTP is already supported like this. They also do HMAC-SHA1 generation based on a stored secret, which can be used for Windows login and Password Safe (with no internet access assumed). They can also generate a static key, but I've never felt that was valuable to me, and it takes another slot on the key which I don't have free.

    The Neo range added some certificate support (CCID and mifare), which is now extended to add the FIDO U2F capabilities. Whereas the OTP and HMAC-SHA1 are VERY easy to manage and duplicate (I greatly prefer this over certificate based management which is nightmarish), I do not know the practicalities of managing whatever secrets the FIDO U2F uses to generate its keys.

    NFC (supported by some of the Neos) only works on Android, Apple has not opened its nfc access. It doesn't work for device logon as far as I know, which I'd want just like for the desktop login authentication - I'm not impressed by any of the smartphone login mechanisms and I do not trust them with any valuable data or site logons.

    The big problem right now is the great variety of 2FA supported by the sites (including none at all, all too common). I do not want to use SMS which is a privacy disaster (as well as denial of service when the mobile runs out of battery or is stolen), but there is no privacy-respecting 2FA apart from the Fido one, and that's not widely implemented - yet, as far as I can see. If Google (and Paypal) adds it to their authentication options, then that will change the landscape rather.

    Here's what they've said in a Fido Alliance draft overview of U2F:

    "As one of the founders of the U2F working group in FIDO, Google is working to build U2F support into the Chrome browser and will offer U2F as a 2nd factor option on Google accounts to help the start-up of the open ecosystem."

    http://fidoalliance.org/specs/fido-u2f-overview-v1.0-rd-20140209.pdf

    I've been using the standard Yubikeys for over a year now, and am very happy with them. I use one slot for Lastpass 2FA, and the other slot for HMAC-SHA1 which does my logins with 2FA on Windows 7 and also gives Password Safe 2FA.

    This link provides a summary of the hardware variants and the different application/standards support:

    https://www.yubico.com/products/yubikey-hardware/
     
    Last edited by a moderator: Oct 18, 2014
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    There are now rather cheaper forms of key which appear to only do the Fido U2F listed on Amazon, the Yubikey one at $18, and there is another vendor called Plug-up International at $6.

    http://www.amazon.com/Yubico-Y-123-...d=1413793198&sr=1-1-catcorr&keywords=u2f fido

    I guess the important thing about this (I haven't got either, nor evaluated it) - is that provided they work, and the standard is implemented sufficiently on websites and in browsers, cost of the keys is not going to be a big constraint to mass adoption. Complexity and reliability will be!

    The later versions of Chrome implement U2F support. I'll report back if/when I test this stuff.
     
Loading...