Skip to Main Content
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

Own Your Own Identity With Universal Two-Factor Authentication

The Universal Two-Factor (U2F) authentication standard backed by the FIDO Alliance promises user authentication that just can't be cracked or duplicated by a hacker. Could it spell the end of password-based authentication?

By Neil J. Rubenking
May 8, 2015
FIDO U2F Yubikey

Who are you? As far as most secure websites are concerned, you are your email account. Forgot your password? No problem—we'll send a reset code by email! If your email account falls into the wrong hands, you're screwed good and proper. Hackers who crack your PayPal account get access to just that account; hackers who crack your email account get everything.

That's where two-factor authentication comes in. Just about every email provider offers some type of authentication beyond simple-minded username and password. Some will send a text to your smartphone. Others let you link the account to an app like Google Authenticator or Twilio Authy. Without much fanfare, Google has slipped in another option for protecting your Gmail account—the security key. Now you can unlock your email with a key, just the way you unlock your car, or your front door. And if the backers of this new-style authentication have their way, that key will soon unlock many more sites and applications.

Fast Identity Online
Each security key implements a standard called U2F, for "Universal Two-Factor." This open standard was published by the FIDO (Fast IDentity Online) Alliance, of which Google is a prominent member. Yubico, purveyor of the Yubikey authentication device, is another prominent member, and in fact most of the design of the Security Key comes from Yubico. However, the standard is wide open and the code is available, so a number of other vendors already sell their own model of the security key.

The original Yubikey worked by sending a one-time password to supporting applications like LastPass. You can still use the updated Yubikey for that purpose, but in order to implement FIDO U2F it now contains a built-in smart card that interacts with supporting applications. Both old and new device types are extremely durable; I've had a Yubikey rattling around in my pocket with my keys since 2009.

SecurityWatch

As for the alliance itself, its membership list reads like a who's who of finance and security. Among the board level members are Google and Yubico, of course, but you'll also find Samsung, Bank of America, Microsoft, Mastercard, and Visa. The more numerous sponsor-level members include Costco, Dell, Ing, Netflix, and Wells Fargo. This is a heavyweight alliance!

Using a Security Key with Gmail
You can buy a FIDO U2F Security Key from Yubico for $18, or scan the Web for deals from other manufacturers. I've seen them for as little as $5. Before you can register your security key, you must set up traditional two-factor authentication, either using Google Authenticator or having Gmail send an authentication code to your smartphone when you try to log in. Once you've completed this configuration, you'll find a tab labeled Security Key. Do note that only Chrome is supported at present, so if you log in with a different browser you'll have to use the smartphone-based authentication.

Registering a security key is simple. Click Register to ready the system, insert your security key, and touch the gold button on the key. Done! You can register multiple keys on the chance you might lose one. Just don't keep them all in the same place!

RSA 2016 bug art

When nothing but a password protects your email, anybody who learns that password can open your account. With security key protection, nothing will unlock your account except the handshake between the security key's smartcard and the secure application. Remote access just isn't possible, as initiating that handshake requires that you touch the key's button.

The Future of U2F
At the recent RSA Conference in San Francisco, I caught up with Stina Ehrensvärd, CEO and Founder of Yubico and unabashed evangelist for U2F. Indeed, she sees U2F as the key to the not just the Internet, but to the future.

"I'm excited about U2F because my vision is that this will be everywhere," said Ehrensvärd. "Eventually it can scale to encryption, payments, it can allow users to take control of their own identity. You don't get your identity from the bank, or the government; you buy your key and it's your own ID." Ehrensvärd pointed out that U2F can take multiple forms, not just like a USB key. It can be in phones, or computers, for example. She mentioned that two combined biometric-U2F devices are already out. Going forward, Yubico plans to add U2F capability to its Bluetooth and NFC-based devices.

"Authentication with a security key lets you be secure, yet anonymous," continued Ehrensvärd. "You can eliminate the username and password, so dissidents and those doing human rights work can communicate without revealing their actual identity." She pictures people carrying at least three keys, one for work, one for your personal identity, and one for authenticating anonymously.

Why give away the technology? "In Sweden, Volvo decided that we need a three point seat belt," said Ehrensvärd. "The guy who developed it said, let's make this open, and saved millions of lives. We want to drive an open standard. I prefer five percent of a big market to all of a tiny one."

Using a security key to lock up email is something any of us can do, but there's a lot more to U2F. "All the leading cloud companies use it for authentication internally," she said. "We have nine of the top ten cloud companies. We get in through the geeks; they see the value." In the end, though, it's more than technology for Ehrensvärd. "Secure online identity is a basic human right," she said. "We want it to be affordable and easy for everyone."

Like What You're Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.


Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters

TRENDING

About Neil J. Rubenking

Lead Analyst for Security

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s I turned my focus to security and the growing antivirus industry. After years working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

Read Neil J.'s full bio

Read the latest from Neil J. Rubenking