U2F Security Keys Show Extreme Effectiveness Against Phishing

FIDO Alliance’s Universal 2nd Factor (U2F) standard for two-factor authentication (2FA) security keys may soon bring phishing to an end. Google has recently revealed that since the company adopted U2F security keys for all of its employees last year, it hasn’t experienced a single successful phishing attack.

Adoption Of U2F Security Keys

U2F security keys are the most secure way to enable 2FA for all of your online accounts. In comparison, SMS 2FA, the most popular 2FA method by far right now, is much more vulnerable to both trivial hacks of the carriers’ SS7 system, as well as social engineering attacks (such as impersonating you and asking the carrier to port your number to their device).

SMS 2FA is so vulnerable that the National Institute of Standards and Technology (NIST) recommended its deprecation two years ago. However, even large companies such as Google, Facebook, and Dropbox still ask users to enable SMS 2FA by default.

Some of the companies that support U2F keys also tend to leave SMS 2FA enabled as a “fallback” for when, for whatever reason, the users won’t use the enabled U2F security key instead. This is a major problem from a security perspective, because it renders the security key as (in-)secure as the SMS 2FA. The attackers would simply request the SMS fallback from the service if they can gain the 2FA code that way and don’t have your U2F security key.

Why U2F Security Keys Are So Effective Against Phishing

A U2F security key is much more secure against phishing compared to SMS 2FA or an authenticator app for multiple reasons. Firstly, it’s an isolated system that doesn’t live on an operating system with a large attack surface.

Secondly, its security is backed by hardware whose purpose is only to generate and store keys securely. Thirdly, whenever you need to login to a website on which you’ve enabled U2F 2FA, you only need to press a button on the security key, which generates a response and sends it to the server. However, in a phishing attempt, the phishing site that looks like the site to which you intended to log in would not be recognized by the security key so it wouldn’t send it that response.

Right now, only Chrome supports U2F authentication by default. Firefox has added support for it, but users need to enable it manually. Microsoft is expected to support U2F in the Edge browser later this year. Apple hasn’t yet said whether or not it will support it.