If you’ve watched much of my content, you know that I’m a fan of U2F. Any chance we get, Matt and I show off our YubiKeys on streams, at events, etc. I have multiple, and run two primarily. One is a YubiKey 5C and the other is a YubiKey 5 NFC. I carry the C on my keys, it goes with me everywhere (and never stays plugged in when I’m not authenticating). The other is in a secure location, as a backup. If something happens and I lose the C, I can fall back to the NFC. I carry the C because I can plug it into everything I use daily like my Surface Laptop, ThinkPad, and S21. Point is, I use my YubiKey daily, and I love it. Let’s dive into some key reasons I like U2F.
First, What’s U2F?
U2F (Universal Second Factor) is a gloriously simple yet powerful mechanism for two factor authentication. It’s, in a nutshell, a very simple version of public key crypto based authentication mechanisms. A private key (or several) is stored on my YubiKey, just like a smart card. Depending on a service’s implementation of U2F, I need the presence of a key and a tap of the presence of a key and a tap PLUS a PIN. Again, it depends on the scenario. For example, I’ve made my personal Microsoft account ‘passwordless’ and I sign on with the key + it’s PIN. If you want a deeper explanation, this video does a good job:
Why I like U2F
There’s a lot I can go into here, but let’s cover a few.
Like… really simple. A huge problem with general cybersecurity is that two-factor can be seen as ‘inconvenient.’ And, in a way, I see people’s point (from the perspective of someone who doesn’t have risk calculation skills). Pulling out your phone to find a code can be a pain, especially if you’re doing it on the daily. I see U2F as the way forward to driving much broader adoption of two-factor, especially amongst consumers but also in business.
To this day, closing out 2021, there are still banks that do not offer real 2FA (I don’t count SMS as a second factor). Something like U2F can be a real game changer in getting people on board with true, hardware-based MFA.
The U2F standard is published and can be adopted by anyone. There are libraries for virtually any code base and developers can easily pull this into their product or service. Even operating systems like Windows allow login via U2F (at least in corporate environments for now). We’ve seen adoption of the standard in all major browser and OS players for service authentication. The only thing “not universal” about U2F is a lack of adoption, but this can easily change with pressure.
The beauty of key pairs is that secrets never cross the network. The service I’m logging into has a public key, and my YubiKey has a private key. I authenticate with a signed nonce, there is no secret data ever crossing the network. You can steal the nonce all you want, it’s useless to you! So long as I keep my key on me (there are side channel attacks with extended physical access to a key), that credential is safe (save for a bad implementation of the standard by a service provider or key manufacturer).
A mix of simple and portable can be tricky. U2F keys check that box because, again, it’s universal. I can plug my key into just about any device and complete authentication.
Like anything, there are cons you should consider if you bring U2F into your life!
A U2F key is a key and must be protected
I don’t consider this a con so much as a PSA. There are documented and proven side channel attacks against a U2F key. However, they require physical access to the device for a long time and will leave tamper evidence. Basically, treat it like your house key. Keep it on you or secured at all times. My main key stays on my keychain.
Support is up and coming
Don’t go grabbing a YubiKey thinking that everything you do will suddenly support it. Many sites still use TOTP (Google Authenticator) and some, even worse, still rely on SMS. Use your key where it’s supported and encourage others to support it (and use other means of MFA in the meantime).