As the saying goes, you are not paranoid if they really are out to get you. When it comes to online security, it’s fair to say we are justifiably paranoid. Which is why when I learned about a much better way to authenticate myself on the web, it didn’t take much arm-twisting to buy my first U2F device.
U2F what? What is it and why would you want one? The “2F” part stands for “two-factor”. When you login to many sites on the web, you have the option for two-factor authentication. This usually means that in addition to providing something you know (typically a username and password) you also provide some other different type of credential. This ups the likelihood that you are really you.
For example, when I login to my Google account on a new device, because my account is set up for two-factor authentication login, I have it send my cell phone a text message. The code I receive in the SMS message is then used to complete my login to Google.
That sounds pretty secure, but it’s not nearly secure enough. That’s because it’s still vulnerable. If someone knows your username and password, they probably also know who you are. And if they know who you are they can probably get your mobile number, if they don’t have it already from being your “friend”. And if they know your mobile number, it’s possible to trick your carrier to send the SMS to a different device. Moreover, there’s no security in SMS messages. They are sent as plain text over the cellular network. Suddenly, two-factor authentication seems a lot more like one-factor authentication.
This was a problem even at Google. To solve it they bought their employees a whole bunch of U2F (Universal Two-Factor) devices manufactured by a company called Yubico. These devices stopped phishing attacks dead, effectively making accessing Google much more secure for its 85,000 trusted employees.
Hey, I want some of that! And now you can too!
How does this work? First you need to know that U2F is a standard. Any manufacturer can make a U2F device, but arguably Yubico was first to market in a significant way. Second, it’s a hardware device, basically a chip embedded inside a piece of plastic, usually connected to a USB-A interface. The chip lets it create keys, similar to keys to securely access websites. It creates two keys, a private key that cannot be externally read and which exists only on the device, and a public key that works only with the site that you connect to. However, it only creates the public key after you login (usually with a username and password) and it verifies the site is authentic. Once the site has the public key, it can be used only with your device.
Is there a downside? Not in the technology itself, although some of the older models are slower than the newer ones at generating keys. Its main drawback currently is that not enough websites have integrated it. The big ones like Google and Facebook support it. One other drawback: not all browsers support it, at least natively. Chrome, Firefox and Opera do. Most of the rest can support it via a plugin.
Still, the list of sites that do support it is growing. Both Windows and Mac support U2F during login. When enabled, you must plug in the device, essentially authenticating your computer with the operating system. Other sites that can use it include: Dropbox, Twitter, Salesforce, GitHub, LastPass and Dell. Of these the one that tickles my fancy is LastPass. Like lots of people I used it as my password manager. Unfortunately, it’s a feature of LastPass Premium only, but if you spring for it, it makes it much more secure plus it removes the hassle of having to constantly type in your often not terribly secure master password. Unfortunately, most banks don’t support U2F yet. You would think that they would want to be on the leading edge of this technology.
These devices can effectively store an unlimited set of keys. In addition, you don’t always have to attach it to a single profile. If you have multiple profiles, the same device can securely support them, or even an anonymous association with a website.
In my case, I keep a lot of customer information in Google’s cloud, accessible only to me through my Google account. So I have plenty of reason to up my security practices.
One issue is whether you want to use these devices with mobile devices. It can be done, but most mobile devices don’t have a USB-A port. However, pretty much all of them support the NFC (Near Field Communication) standard, used for systems like Apple Pay. In this case, you just place the device next to your mobile phone when you login. So it might behoove you to buy a U2F device that comes with NFC support too.
That’s what I ended up buying, not a Yubico device with this feature (which costs about $50), but a Feitian ePass NFC FIDO U2F Security Key, which is equivalent but costs $30 less. It’s simple to use in both cases and I can easily store it on my key ring.
The device does not solve all security issues on the web, but it easily and elegantly solves the authentication issue. Even if you lose your key, you still have protection. Because it is used with two-factor authentication, someone would still have to know your username and password. Meanwhile, you could buy a new device and create a new public key for use with the website.
Some content management systems can work with it. WordPress is used by about 40% of websites, so if you have a WordPress site you can install the Contact plugin to allow U2F authentication.
I’m looking forward to less hassle and more security from my U2F device, and my clients should be too.