Do U2F Security Keys Really Keep You Safe?

When you get home, you stand in front of the door and fumble around for your keys, then use them to unlock your entrance. You don’t type a code, you don’t talk to the door, and you don’t answer riddles as if though you were talking to a sphinx. It’s relatively secure while not giving you a massive headache.

The Internet’s version of this is basically the U2F key. Although you still have to type your password, the extra work you have to do with two-factor authentication disappears because all you have to do is insert your physical key into a USB slot. But is this method at least as secure as other authentication methods? And perhaps more importantly, does it address anything new?

u2f-auth

To explain how U2F works, you must already understand two-factor authentication. If you’re unfamiliar with such a concept, let’s use Google Authenticator as a working example: You type in your login details to get into Google, and then their server asks you to open the Google Authenticator app on your phone to get a six-digit one-time password. This last step ensures that the person logging into your account is the same person who owns the phone that GA was installed in (presumably, that’s you!). Some entities (banks, for example) send an SMS to the phone number associated with your account with a six to eight digit code to achieve the same result. Others (also usually banks) will give you a token device that generates these numbers.

Okay, so two-factor authentication will use two things to log you in (hence the name): your password and an extra code associated with something physical that you possess that can only be used once.

Now that we got that out of the way, this is how U2F works in a few simple words: It does all of this for you in the form of a physical key, like the one you use to open a door. The key is inserted into a USB slot, and you press a button to finish your login. The pushing of that button triggers an algorithm that generates a code internally and sends it automatically to the authenticating server.

Simple enough, right?

If you can use two-factor authentication out of the box without having to buy anything extra, why should people go out of their way to get a physical key? For businesses, the answer is obvious: you don’t have to buy your employees expensive token devices. But what are the advantages for consumers? Let’s look at those:

  • You’ll never have to type codes, which is very convenient.
  • Since you don’t have to type codes, the internal code transmitted automatically by the key can be longer (usually around 32 characters).
  • You don’t have to depend on your phone. (What if your phone breaks or you change your number?)

u2f-hacker

The reason why I don’t see U2F being applied so broadly is that two-factor authentication has already set the standard. It’s readily available and is sufficiently easy for service providers to implement. Currently only major services like Google, Facebook, Dropbox, and GitHub boast compatibility.

Aside from this issue, there’s also the issue of what it addresses. Put simply, it will be seen as a glorified version of two-factor authentication that is marginally more convenient to use. It doesn’t matter that U2F addresses Man in The Middle attacks more efficiently (although that is debatable, and we’ll get to that). Perception is more important when you’re trying to sell an idea.

Probably the more important caveat is the fact that U2F does very little to prevent a hacker from hijacking your traffic and impersonating you by spoofing your user agent in your browser. This fact alone makes the “higher security” argument for U2F debatable.

Although U2F isn’t necessarily more secure than two-factor authentication, it’s worth noting that it takes a few steps in a positive direction (e.g. increasing key length, eliminating frustrating authentication barriers for end users, etc.). As a technology, it might not be “revolutionary,” but it certainly does its job in a way that is more convenient for the people who invest in it. U2F may be attractive for businesses, but consumers might not find the $50 price tag on these little devices worth the cost.

Let’s discuss something interesting. What would convince you to buy a U2F key? Or are you already convinced? Tell us all about it in a comment!

4 comments

  1. “consumers might not find the $50 price tag on these little devices worth the cost”
    It’s easier to justify $50 for a U2F key than $500+ for a smartphone. Over time, IF the gadget becomes somewhat popular,the cost will go down. I still remember paying more the days when I paid more for a 128 K USB key drive than I pay today for a 3-pack of 64 GIG drives.

    I am skeptical about the whole 2FA thing. The idea is great but, IMO, the implementation is rather inelegant. It requires an additional device (smartphone) that is subject to many perils. It can be lost, stolen, broken, misplaced, hacked, etc. If any of the perils come to pass, you are SOL. The 2FA process is useless. You cannot sign on to your account. The fact that it requires a smartphone exposes the second problem with the 2FA standard – it is not universal. IF it is The Greatest Invention Since Sliced Bread in security, as its proponents claim, it should be universally available/usable. I realize that a vast number of people already own a smartphone. However, what about those that for one reason or another DO NOT own one?! They are left out in the cold without 2FA security. I, for one, refuse to own a smartphone. I do not see any compelling reasons to own one over a dumb flip phone. 1) Smartphones are too expensive 2) Smartphones are much easier to compromise than dumb flip phones and landlines.

  2. You talk about U2F costing $50, but that’s only for a very expensive multi-purpose Yubikey. In your own article you use a photo of a U2F key that only cost about $10, but I can no longer find it anywhere. Yubico also makes an $18 one that is just U2F instead of multi-purpose

  3. Thankfully, a smartphone is not necessary for 2FA. I also do not own one, but my flip phone is quite capable of receiving a text message containing a code for authentication. The point is still valid, though. If I did not have a working phone with me, I would be locked out!

  4. You never described how MITM attack mitigation is “debatable”. Also, spoofing a user-agent will do NOTHING to compromise a U2F-secured account; you’ll need the U2F device and password still.

    Finally, you imply $50 is too expensive, but neglect to mention the many $10-$20 or even built-in devices (such as with Intel’s new Kaby Lake chips).

Comments are closed.

Sponsored Stories