U2F Security Keys Show Extreme Effectiveness Against Phishing

FIDO Alliance’s Universal 2nd Factor (U2F) standard for two-factor authentication (2FA) security keys may soon bring phishing to an end. Google has recently revealed that since the company adopted U2F security keys for all of its employees last year, it hasn’t experienced a single successful phishing attack.

Adoption Of U2F Security Keys

U2F security keys are the most secure way to enable 2FA for all of your online accounts. In comparison, SMS 2FA, the most popular 2FA method by far right now, is much more vulnerable to both trivial hacks of the carriers’ SS7 system, as well as social engineering attacks (such as impersonating you and asking the carrier to port your number to their device).

SMS 2FA is so vulnerable that the National Institute of Standards and Technology (NIST) recommended its deprecation two years ago. However, even large companies such as Google, Facebook, and Dropbox still ask users to enable SMS 2FA by default.

Some of the companies that support U2F keys also tend to leave SMS 2FA enabled as a “fallback” for when, for whatever reason, the users won’t use the enabled U2F security key instead. This is a major problem from a security perspective, because it renders the security key as (in-)secure as the SMS 2FA. The attackers would simply request the SMS fallback from the service if they can gain the 2FA code that way and don’t have your U2F security key.

Why U2F Security Keys Are So Effective Against Phishing

A U2F security key is much more secure against phishing compared to SMS 2FA or an authenticator app for multiple reasons. Firstly, it’s an isolated system that doesn’t live on an operating system with a large attack surface.

Secondly, its security is backed by hardware whose purpose is only to generate and store keys securely. Thirdly, whenever you need to login to a website on which you’ve enabled U2F 2FA, you only need to press a button on the security key, which generates a response and sends it to the server. However, in a phishing attempt, the phishing site that looks like the site to which you intended to log in would not be recognized by the security key so it wouldn’t send it that response.

Right now, only Chrome supports U2F authentication by default. Firefox has added support for it, but users need to enable it manually. Microsoft is expected to support U2F in the Edge browser later this year. Apple hasn’t yet said whether or not it will support it.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • techy1966
    Problem is once it goes main stream if ever it draws the attention of those that like to find ways to bypass security etc at which point we will see yet another security product go down the drain because it does not matter how good a product or security is there will always be someone that has the skill set to get around it.
  • tacgnol06
    I don't know, Techy1966. At that point, it's a question of how difficult the bypass is to use. If it's any harder than "trivial", then you're still protected against casual attempts, which is to say the vast majority of them.
  • mrjhh
    At some point, people will lose or break their U2F key, and how does one authenticate the person asking for a replacement? Someone like Google can enforce requiring an employee come to the office to get a replacement, and match the picture taken when they joined Google to the person. This does not scale, as at some point, weak links in personal identification will be found. Wetware is always the weakest link in any security scheme.