Multi-factor authentication with U2F
User-selected passwords are a perpetual weak link in the online security chain, a particularly troublesome one where web services are concerned. An industry group called the FIDO Alliance published an open specification for two-factor authentication hardware earlier this year, along with complementary standards intended to lay out a uniform API for web services to utilize such hardware. The goal is to simplify the process of offering multi-factor authentication for users, courtesy of a vendor-neutral standard.
FIDO's membership includes a mix of banking institutions, software companies, and hardware manufacturers. Included on the list are Google and Microsoft, two of the four biggest web browser makers. One noticeable absence is Mozilla, but security-token vendor Yubico (makers of the YubiKey line of USB one-time password (OTP) tokens, which we looked at most recently in April) is a member.
Yubico is evidently working on producing hardware tokens that implement the FIDO Alliance's new specification, called Universal 2nd Factor (U2F). Given the company's substantial suite of free-software utilities and frameworks for its existing products, it is presumably interested in working with free-software browsers on U2F as well.
The FIDO Alliance was launched in early 2013, although the first public draft of U2F was only published in February 2014. It remains a draft at this stage.
U2F specifies a protocol for users to register a hardware authentication token with a remote web service, so that on future visits, activating the token sends an unforgeable identifier that is unique to the token-and-service pair. As the name indicates, U2F is not meant to replace passwords entirely, but to augment them as a "second factor." The specification dictates that the token has some form of user-activation: a button, some form of biometric scanner, or so on. At present, the specification also describes a USB messaging format for the token to communicate with the user's local web browser—although it is expected that additional transports (namely NFC and Bluetooth) will also be supported.
The full specification is available for download on the FIDO Alliance site. Separate documents describe the JavaScript API for communicating between the browser and a remote web service, the message format between the browser and the hardware token, and the identity-assertion scheme that the token uses to verify that only an authorized application (for now, a category that includes only the web browser) is sending an authentication request. On the same download page are a separate set of specifications for FIDO's other major project, the password-replacement scheme called Universal Authentication Framework (UAF)—which is not connected to U2F.
One distinguishing feature of the scheme is that the U2F hardware token is not tied to a specific service or web site. Rather, whenever the user registers an account with a new web service, a new public/private key pair is generated on the token. The public key is sent to the service, while the private key remains on the device, which, naturally, must be tamper-proof so that the keys cannot be extracted. Similarly, if the token incorporates a biometric identifier or any other sort of local authentication information, that data must also be stored on the token and not be readable. On repeat visits, the web site sends a challenge to the browser, which the hardware token signs using the private key and returns.
Also worth noting is that U2F leaves quite a bit of the hardware device's design and feature set undefined. The example usage scenarios in the Yubico talk involve a simple, inexpensive token much like Yubico's existing product line: a simple button press when the token is plugged in to the computer is the only authentication performed for the device itself. But more complex devices could be produced, which require the user not only to possess the hardware token, but to enter a password on it or (for example) perform a fingerprint swipe. In the accompanying blog post, Yubico notes that its NEO line of tokens is designed to run Java applets, which could include U2F service registration and authentication, although it also points out that current NEOs do not support U2F and may not be upgraded in in the future.
On the other hand, the specification does dictate that the hardware token does not include a global identifier that can be accessed by the web services. This is a privacy protection; there is intentionally no way for a web service to determine whether or not any two U2F accounts are authenticated with the same hardware device. Similarly, a web service cannot dictate that a particular brand or type of hardware token be used: all it knows is that a U2F-compliant device is available and is used in the authentication stage. In response to an audience question on the Mozilla video, Yubico representative Jerrod Chong said that implementation tests have verified interoperability between four hardware vendors.
Whether the hardware token is simple or complex, a great deal of U2F's security also relies on the browser implementation. The browser must handle the registration of new services, verify the remote server's identity, send the authentication challenge from the site to the hardware token, and send the cryptographically signed response from the token back to the service. Naturally, all of these steps need to handled by the browser natively, not by running HTTP-delivered JavaScript code. The browser must also implement the U2F raw messaging protocol over USB HID. At present, the USB Implementers Forum has not yet approved the U2F protocol, although FIDO expresses confidence that such approval will happen in due course.
On July 30, Yubico posted on its company blog that it had met with Mozilla to present a case for adopting U2F. Evidently Yubico's presentation to Mozilla was an effort to prompt the browser maker into starting its own U2F implementation effort. As of now, there does not seem to be any formal progress on that front, but many in the audience for the video seemed supportive of the concepts. It is also possible that Yubico or another interest party will write code of its own to contribute; time will tell. Video from the presentation and subsequent question-and-answer session is available from Mozilla.
U2F is interesting from a security perspective, perhaps most of all in how it presents a very different alternative to WebCrypto for the future of browser security. U2F arguably offers stronger security, since it mandates tamper-proof hardware and does not rely on susceptible-to-man-in-the-middle JavaScript.
But strong cryptography is not everything; if it were, every email would be sent with OpenPGP encryption. Yes, U2F seems to offer a simple user experience, which is an absolute requirement if the feature is ever to extend beyond the smallest niche. The inescapable downside, however, is that users will be required to purchase and keep track of the hardware devices themselves. An industry-wide standard may help; costs could certainly fall if not every vendor needs to reinvent the wheel.
But any cost greater than zero will no doubt prompt some percentage of users to skip the option completely. It is anyone's guess how large that percentage will be. Unless the authentication devices are offered for free or as cheap add-ons for more expensive devices, not everyone will use them. Regardless of the scale or speed of U2F uptake, of course, both the browsers and site owners will need to support older, less secure authentication methods for many years still to come.
| Index entries for this article | |
|---|---|
| Security | Authentication |
Posted Aug 7, 2014 4:01 UTC (Thu)
by kjp (guest, #39639)
[Link] (6 responses)
And a main flaw is still: how does account recovery (I forgot my password and/or dropped my token in water) work at scale. secret question, recovery email address, etc. still make remote account hijacking possible. At least etrade can mail you (yes, snail mail) a new RSA fob. Maybe account recovery should send you a machine-readable private key printout via US mail, that you load in the FIDO universal dongle, and then rip up the paper? :-)
Posted Aug 7, 2014 4:05 UTC (Thu)
by kjp (guest, #39639)
[Link]
Posted Aug 8, 2014 8:10 UTC (Fri)
by robbe (guest, #16131)
[Link] (4 responses)
Interestingly, the button-requirement of the U2F standard prevents current RSA tokens. A take-that at the market leader?
Posted Aug 9, 2014 2:11 UTC (Sat)
by kjp (guest, #39639)
[Link] (1 responses)
The web site says RSA is a member of FIDO, FYI (acronym hat trick!). Everything I've read so far on UAF seems pretty sensible (the most confusing thing is why there are two standards - UAF and U2F - so which one to use). Anti phishing & privacy protection look good, as does not relying on central parties, and it all seems cross platform. The WYSIWYS secure transactions is also interesting. One concern is the 'attestation' feature, so some sites may require 'attestation' of only certain vendor's devices, which limits customer choice but doesn't seem to harm security otherwise.
Posted Aug 9, 2014 8:16 UTC (Sat)
by alonz (subscriber, #815)
[Link]
Posted Aug 11, 2014 9:18 UTC (Mon)
by luto (guest, #39314)
[Link] (1 responses)
It was a simple setup: there were two sheets of paper. The first one had four columns of holes, and each column had a random permutation of the digits 0-9. The second sheet was stuck to the back of the first one. I was instructed to mark through the four holes corresponding to my desired PIN. Then I threw away the top sheet and mailed back the bottom sheet. Genius!
It could have been even better: random permutations were unnecessary; random cyclic permutations would have been fine. And they could have just asked me to type the encrypted PIN on a website and throw away the sheet of paper.
Posted Aug 11, 2014 9:56 UTC (Mon)
by nix (subscriber, #2304)
[Link]
(I wrote 'PID' the first time, heh, clearly too much hacking. There is not officially a pin_t getpin(void), but it looks like it's not impossible to write :) )
Posted Aug 7, 2014 5:39 UTC (Thu)
by alonz (subscriber, #815)
[Link]
Posted Aug 7, 2014 10:46 UTC (Thu)
by copsewood (subscriber, #199)
[Link]
If they work out cheaper than existing smart tokens for online use and equally secure, I think the banks will be giving these to existing customers to cut fraud costs and will make a profit doing so.
Posted Aug 17, 2014 14:52 UTC (Sun)
by inq (guest, #12180)
[Link] (3 responses)
Passwords wouldn't be such a weak link if these web services could make it just a little bit more difficult to steal their password files in the first place.
Posted Aug 17, 2014 15:21 UTC (Sun)
by raven667 (subscriber, #5198)
[Link] (2 responses)
Posted Aug 17, 2014 16:18 UTC (Sun)
by inq (guest, #12180)
[Link] (1 responses)
Posted Aug 17, 2014 19:19 UTC (Sun)
by raven667 (subscriber, #5198)
[Link]
Multi-factor authentication with U2F
Multi-factor authentication with U2F
Multi-factor authentication with U2F
Multi-factor authentication with U2F
The reason for having two standards is the usual—politics. UAF came from NonNok, U2F came from Google, and the FIDO Alliance members couldn't see their way to a unified compromise solution.
Multi-factor authentication with U2F
Multi-factor authentication with U2F
Multi-factor authentication with U2F
Some companies are implementing U2F with “virtual tokens” based on the tamper-proof hardware/software modules inside modern mobile devices (TrustZone hypervisors, TPMs, or Secure Elements). If these gain acceptance, the technology might become quite easy to use—on smartphones and tablets at least.
Multi-factor authentication with U2F
Multi-factor authentication with U2F
Multi-factor authentication with U2F
Multi-factor authentication with U2F
Multi-factor authentication with U2F
Multi-factor authentication with U2F