Podcasts
Word Notes
Ep 91
Word Notes 3.15.22
Ep 91 | 3.15.22

Universal 2nd Factor (U2F)

Show Notes
Transcript

Rick Howard: The word is U2F. 


Rick Howard: Spelled U for universal, two for second, and F for factor.  


Rick Howard: Definition: An open standard for hardware authentication tokens that use the universal serial bus, or USB, near-field communications, or NFCs, or Bluetooth to communicate one factor in a two-factor authentication exchange.  


Rick Howard: Example sentence: initially U2F was created by Google and Yubico working in partnership.  


Rick Howard: Origin and context: In the 1960s, when computers started to become an essential tool to big business and government, the late great Dr. Fernando Corbató, one of computing's founding fathers, introduced the idea of using passwords to gain access to computer systems as a stop gap to prevent students from seeing their teacher's files on the same mainframe. He had no idea that that method would remain as the number one authentication system for the next 60 years. 


Rick Howard: That started to change in 1995, when AT&T patented the idea of two-factor authentication. They said that to identify an authorized user, a system needed to check at least two of three factors: something they have like a smartphone, something they are like a fingerprint, or something they know like a password. But the early systems were clunky, hard to manage, and only used in environments that needed the most security.  


Rick Howard: In 2012, a number of commercial companies like PayPal and Lenovo formed the FIDO Alliance, which stands for Fast Identity Online, with the purpose of developing a passwordless authentication protocol. By 2013, Google, Yubico, and NXP joined the Alliance and brought with them the idea of an open source, second factor authentication protocol.  


Rick Howard: By 2015, the Alliance announced support for contactless transport over Bluetooth and near-field communications, or NFCs. NFC is a protocol that helps two devices communicate wirelessly when they are placed right next to each other (the range is about 4 inches) like using your mobile device to validate your boarding pass in airports. Devices with NFC hardware can establish communications with other NFC-equipped devices, as well as NFC "tags." NFC tags are unpowered NFC chips that draw power from nearby NFC devices. U2F then is a universal standard for creating physical authentication tokens that can work with any service. 


Rick Howard: As of this writing in 2022 vendors like Google, Yubico, Thetis, and Kensington offer their versions of these tokens to the commercial market. Some use the NFC protocol. Some use Bluetooth and others plug into USB ports so that they can be used to authenticate web transactions. 


Rick Howard: Nerd reference: At the 2018 RSA Conference, Brett McDowell, the executive director for the FIDO Alliance explains at a high level how U2F keys work: 


Brett McDowell: So keep this in mind, as you go through and see the demos, this is what's happening under the hood. So you have the user and they're being verified by the device. So the evidence that's exchanged between the user and the device is local. It's not going over the internet and that evidence can be a pin number. Uh, it can be a biometric and that's between the user and their device. So you take out all the vulnerabilities of, uh, remote attack.  


Brett McDowell: Then the device once satisfied that it has the correct user will sign, uh, challenges per the FIDO challenge response protocol. The private keys are generated by the authenticator on the device. Don't think of the authenticator as a widget. Uh, think of the authenticator as a capability. It's a capability of that personal device and the public key is stored, uh, with the username and the database in the cloud so that when the challenge is signed by the correct private key, the application knows that it could only have received that mathematical result from the correct device per the correct user. And we call that party, the relying party, is the application in the cloud because they are relying upon the FIDO authenticator to do it. So that in essence is what's happening under the hood.  


Rick Howard: Word Notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.

Word Notes
Podcast Info
HOST(S):
Rick Howard
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Tuesdays
Creator: CyberWire, Inc.