Do U2F Security Keys Really Keep You Safe?

When you get home, you stand in front of the door and fumble around for your keys, then use them to unlock your entrance. You don’t type a code, you don’t talk to the door, and you don’t answer riddles as if though you were talking to a sphinx. It’s relatively secure while not giving you a massive headache.

The Internet’s version of this is basically the U2F key. Although you still have to type your password, the extra work you have to do with two-factor authentication disappears because all you have to do is insert your physical key into a USB slot. But is this method at least as secure as other authentication methods? And perhaps more importantly, does it address anything new?

u2f-auth

To explain how U2F works, you must already understand two-factor authentication. If you’re unfamiliar with such a concept, let’s use Google Authenticator as a working example: You type in your login details to get into Google, and then their server asks you to open the Google Authenticator app on your phone to get a six-digit one-time password. This last step ensures that the person logging into your account is the same person who owns the phone that GA was installed in (presumably, that’s you!). Some entities (banks, for example) send an SMS to the phone number associated with your account with a six to eight digit code to achieve the same result. Others (also usually banks) will give you a token device that generates these numbers.

Okay, so two-factor authentication will use two things to log you in (hence the name): your password and an extra code associated with something physical that you possess that can only be used once.

Now that we got that out of the way, this is how U2F works in a few simple words: It does all of this for you in the form of a physical key, like the one you use to open a door. The key is inserted into a USB slot, and you press a button to finish your login. The pushing of that button triggers an algorithm that generates a code internally and sends it automatically to the authenticating server.

Simple enough, right?

If you can use two-factor authentication out of the box without having to buy anything extra, why should people go out of their way to get a physical key? For businesses, the answer is obvious: you don’t have to buy your employees expensive token devices. But what are the advantages for consumers? Let’s look at those:

  • You’ll never have to type codes, which is very convenient.
  • Since you don’t have to type codes, the internal code transmitted automatically by the key can be longer (usually around 32 characters).
  • You don’t have to depend on your phone. (What if your phone breaks or you change your number?)

u2f-hacker

The reason why I don’t see U2F being applied so broadly is that two-factor authentication has already set the standard. It’s readily available and is sufficiently easy for service providers to implement. Currently only major services like Google, Facebook, Dropbox, and GitHub boast compatibility.

Aside from this issue, there’s also the issue of what it addresses. Put simply, it will be seen as a glorified version of two-factor authentication that is marginally more convenient to use. It doesn’t matter that U2F addresses Man in The Middle attacks more efficiently (although that is debatable, and we’ll get to that). Perception is more important when you’re trying to sell an idea.

Probably the more important caveat is the fact that U2F does very little to prevent a hacker from hijacking your traffic and impersonating you by spoofing your user agent in your browser. This fact alone makes the “higher security” argument for U2F debatable.

Although U2F isn’t necessarily more secure than two-factor authentication, it’s worth noting that it takes a few steps in a positive direction (e.g. increasing key length, eliminating frustrating authentication barriers for end users, etc.). As a technology, it might not be “revolutionary,” but it certainly does its job in a way that is more convenient for the people who invest in it. U2F may be attractive for businesses, but consumers might not find the $50 price tag on these little devices worth the cost.

Let’s discuss something interesting. What would convince you to buy a U2F key? Or are you already convinced? Tell us all about it in a comment!

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.