I've written a few times about two-factor authentication (2FA), where a password (something you know) is paired with a second item, like a device-generated token or one-time code sent via SMS (something you have). A password can be stolen or sometimes extracted, so a second factor makes it substantially more difficult for someone who lacks physical access to you or your stuff to break into one of your accounts. This restricts attackers from accomplishing wholesale attacks across thousands or millions of accounts, unless 2FA is badly implemented or attackers find an exploit.
While Apple has tried to take the pain out of 2FA through its trusted device approach with iCloud accounts, many people still believe this is too complicated for average users to employ. There needs to be something powerful, simple, and ubiquitously supported, they argue — as do I. Apple's solution only works for people fully embedded in Apple's ecosystem and only for some of Apple's services.
2FA apps, like Authy and Google Authenticator, are good alternatives if you're in frequent need of a second factor. They're relatively simple to set up, but they're still not for everyone. And even though I use such apps every day, I confess that I sigh as I walk through the several straightforward steps to pull up the necessary app and then type in a confirmation factor.
A new hope
There's hope for even greater simplicity, though, from the wonkily named FIDO Alliance U2F standard. FIDO (Fast IDentity Online) comprises a group of security, hardware, and online finance companies trying to set broad standards for better authentication; U2F stands for Universal 2nd Factor. U2F is built into hardware, like a USB dongle, that contains cryptographic hardware to provide the second okey-dokey for a login or session.
A U2F device is registered to a service or website, just like setting up code-based second-factor verification. The cryptographic handshake during registration ensures that only the key in the U2F device can be successfully used to answer a second-factor challenge in the future. In two versions I tested from Yubico, a hardware authentication device maker that is out in front on this technology, the circuitry is also tamper-resistent and its firmware can't be updated.
Instead of a keyfob or card that generates a time- or sequence-based key on a display that you then type in, a U2F key is plugged into the USB port of your device, such as a laptop, when you're going to log into an account. In some cases, plugging in the device is enough; with other devices, you may need to tap a button to send the information.
Yubico accomplishes this without drivers by masquerading its keys as USB keyboards. The OS recognizes the device, but then an app has to know how to communicate with the key to handle the right back and forth to accept the verification token. For mobile devices, this means a USB adapter for a standard Type A plug is needed.
Sign up for CIO Asia eNewsletters.