Blog‎ > ‎

FIDO U2F & YubiKey, 2FA, Two factor authentication

posted Oct 23, 2014, 8:41 AM by Sami Lehtinen   [ updated Oct 23, 2014, 8:42 AM ]
Main link / news: Google strengthens 2-step verification using USB Security Key

My thoughts about it:
There's nothing new with 2FA. It's nice that they use open Universal 2nd Factor (U2F) protocol. I guess this is also excellent news to Yubico manufacturer of the YubiKey products. It seems that U2F / UAF are bit newer standard, so I have to study more about it, read specification and write my own thoughts about it. - More information from FIDO Alliance.
With phones you can use mobile phone based 2FA, which is afaik just as secure as this solution is. Or maybe even bit more secure, because it's out of band, and also the site is verified where the authentication is being send. Only drawback is that the mobile phone is hackable, but I guess it would require at least rooted phone to be able to intervene with the login process.
In this case only client is validated, which is traditional security fail point. Doesn't help at all in MitM cases. Yet, Chrome browser might be doing some tricks trying to prevent this. FIDO documentation says that there's a login challenge, so most probably the response is only good for requesting site. Yet, if there's malware on the system, it's totally possible (afaik) that they'll actually request another login challenge in parallel and actually generate the login response for that service. I've always loved Yubikeys, except it requires USB bus, which isn't available on many 'modern' devices. Yet win's for using USB are, no display, strong long keys, no need to enter keys as well as no need for replaceable battery. On the other hand YubiKey NEO uses Bluetooth technology, but as the downside it requires battery.