US Adopts ‘Un-phishable’ FIDO U2F Two-Factor Authentication

At the Federal Identity Forum (FedID), which is where new technologies and trends are discussed by American federal agencies and the identity community, the U.S. government adopted for the first time the FIDO Universal 2nd Factor (U2F) authentication protocol.

U2F Protocol

The U2F protocol was one of the main protocols designed and developed by the FIDO Alliance, a group of companies working on standardizing biometric and two-factor authentication protocols. The U2F protocol has already been adopted by hardware authentication token makers such as Yubico, the co-author of the U2F standard, which also sells the popular Yubikey tokens (with or without the new U2F standard).

Major services companies such as Google, Facebook, and Dropbox have also adopted U2F authentication, but most of these companies' implementations has been weakened by allowing SMS core retrieval as a backup two-factor authentication solution. The U2F authentication is more resilient against attacks when only hardware tokens are used, without any weaker alternatives being used as backup.

“Un-Phishable” Authentication

Several federal agencies that were already using the ID.me identity gateway started using the FIDO U2F two-factor authentication solution as soon as it was made available to them via the service. The ID.me system uses FIDO U2F hardware tokens as an extra layer of authentication for its identity proofing services. The ID.me platform also provides a wallet for users where they can store virtual “ID cards,” which they can then use to login to various services and websites.

"Thieves can guess or steal passwords from a database and they can spoof biometrics," said Blake Hall, ID.me’s CEO.“A physical FIDO U2F Security Key is 'un-phishable' -- it must be physically stolen from you, to compromise your account. To provide more robust and easy to use security to all customers, it's essential to support FIDO U2F based standards and the adoption of security keys,” he warned.

Over 250 companies have become members of the FIDO Alliance, which means it's now only a matter of time before FIDO U2F protocol is being used everywhere. According to the latest Verizon Data Breach Investigations Report, 81% of data breaches happen because of weak or stolen passwords. Using two-factor authentication (that's also not trivial to intercept) would go a long way towards making the targets harder to hack.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • derekullo
    They really should change their logo to a dog eating a fish.
    Reply
  • akula2
    >Major services companies such as Google, Facebook, and Dropbox have also adopted U2F authentication

    Thanks, which means it's compromised by NSA already!
    Reply