Two-step or two-factor authentication provides better security than a single factor. For instance, a fingerprint and PIN is stronger than either alone.
Security professionals generally divide authentication techniques into three categories: something you have, something you know, and something you are. Corresponding examples would be a token or an app on a smartphone, a password, and a fingerprint. Generally, two-factor authentication involves using something from two different categories. We discuss this at length in Learning Tree’s System and Network Security Introduction course.
One issue has been that there are different ways of implementing two-factor authentication which can annoy users and make developers repeatedly re-invent the wheel. Google Authenticator is an app-based tool that helps make this easier. Unfortunately, it is not universal. It may not be practical for some enterprises (e.g. those that control software on mobile devices), and it did not receive the widespread deployment it deserved.
The Fast Identity Online (FIDO) Alliance is an industry group working to make two-factor authentication more ubiquitous. One of their initiatives is Universal Second Factor or U2F. Even the name makes it clear this method is not to be used alone.
FIDO authentication schemes support both wired and wireless methods including USB, Bluetooth Low Energy, NFC, and smart cards. My U2F devices are USB.
One feature of requiring a physical device for authentication is that it makes it impossible for one to login without the token itself. That makes compromising accounts directly nearly impossible. A Google paper describes that organization’s success with FIDO.
Google also reported that the U2F scheme is quick. In my case, I enter a traditional password and then click on a small USB key (the one in the photo below to be exact) inserted into a USB port. It is indeed, easy and quick.
Internally, the operation of the scheme is simple. When using it for a website the user provides a username and password to the server via a browser. If those credentials are valid, the server issues a challenge to the browser that it passes to the key. When the user touches the key, it generates a response that is passed to the server and verified. When I use it with a Linux virtual machine, the USB device is mapped to the VM and Linux issues the challenge and receives the response directly, without a browser.
Yubico, a manufacturer of U2F devices, describes the operation of the system in detail.
Source code for implementing the server is available from Yubico as open source. Other vendors may provide open source tools, too, but the devices I have are from Yubico. Different versions for different environments are available. Yubico also has a demonstration page to illustrate how simple it is to use. You’ll need a U2F key to use it, of course. It even shows the challenge and response.
In a subsequent post, I will explain how I use my key as a second factor for logging into a Linux VM.
To your safe computing,