2nd factor authentication with U2F

Have your gmail hacked and it’s very likely that you’ll also loose access to your other accounts as well. Your PayPal, Facebook and Twitter could all be reset within minutes locking you out and making reclaiming them an absolute nightmare. To avoid this, I enabled the second factor authentication on my gmail account. Since then I’ve learnt that there is an even a more secure way to stop those up-to-no-good-hackers: The U2F security key.

What is U2F, and should I get a security key?

These are questions I asked myself, after I went ahead and purchased the key. Ops. I guess the geek in me got too excited and wanted to learn about the technology by using it. In short, I don’t need the key. However, it does make me feel more secure, and I am glad I got one. Let me explain why this is.

U2F is an acronym for Universal 2nd factor which is an open authentication standard meant to make second factor authentication easier and more secure for us consumers. In practice it is way of authenticating yourself using a dedicated device such as a specialized USB key or NFC chip. U2F keys are way more secure than alternate second factor authentication methods such as SMS messages, pre-generated codes or phone apps.

When I use my key to gain access to my email, I completely remove the possibility of phising for instance. Why is this? Well, when you first register your U2F security key on a website, the U2F key creates a public/private key pair specific to the website URL. If I unwittingly were to get redirected to a different URL to the one I intended to visit, perhaps a website trying to mimic a Google website in order to steal my personal information, the U2F key would simply not work since the new URL would not match the URL I used to authenticate my device.


Maybe you don’t consider this a risk as you always check the website URL and you consider yourself internet savvy enough to not be fooled by phising. Fair enough, I can’t blame you. I feel the same way :) But let me give you another example where the U2F key shines: key-logging.

If hackers manage to remotely record what you type on your keyboard, you’re in trouble as they can now gain access to your passwords. Your precious Authenticator app, generated codes or codes sent via SMS won’t help you much now. Why? Because you have to TYPE them in. With the U2F key your not verifying your identity by pressing the keys on the keyboard, your plugging in a device in your USB port. When you access your gmail let’s say, Google sends a challenge to your browser, which the U2F security key signs and returns. No keyboard input, no key-logging.

But what about man-in-the-middle attacks such as when the hacker gains access to your information being sent between you and the server?

Good question. Well, the U2F security key only successfully signs the challenge set by the website if the origin of the request matches the origin seen by the browser. Let’s say a hacker tries to intermediate the authentication, their origin will be different to that of your browser, so the U2F security key refuses to sign the challenge. This method is not 100% secure though as the hacker may be able to mimic your location, but certainly much safer than typing in codes which do not depend on your location.

In summary, the U2F key is certainly the most secure second factor authentication method that I am aware of. The authenticator app and SMS codes do a good job, don’t get me wrong, but they do not completely eliminate phising attempts like the U2F security key does. The key eliminates the possibility that a hacker could still capture the second factor response you type in and try and use it immediately.

The drawback is that the U2F security key is not widely supported at the moment across the various web services. That being said, once the U2F specifications have been finalized (they are still in draft) I would not be surprised if big internet companies other than Google start to offer U2F support as the security benefits are obvious.

· security