The Unofficial U2F FAQ

U2F discussions on the internet always end up with questions like “if someone finds my U2F token, can they can they list its accounts?” (“No” is the answer.) This FAQ is for those common, end-user type questions. There’s also an official FIDO FAQ that has more of a focus on technical details.

Q: What Does a FIDO U2F Key Do?

A FIDO U2F key looks like a USB key, and it greatly improves the security of logging in to a website. The FIDO Alliance is a non-profit founded to develop open standards to improve security on the web. The U2F USB token is the first major hardware design to come out of FIDO, designed to be simple, inexpensive ($10-$20), and extremely secure.

The U2F USB token has a little button on it, and you click the button to complete the log in process. In this way, the token forms a “second factor” for your log in, so even if a bad guy obtains your password, they will not be able to access your account. U2F is more secure than other 2FA systems (detailed below).

Q: How Do I use U2F?

You will need a U2F token and a website (google, facebook, github, …) that supports U2F. First, use the “Enable U2F” option on the web site you want to secure. Your browser will put up a message saying something like “This web site is trying to contact your U2F token. Click the button on your token to approve.” Clicking the button completes the one-time registration of that U2F token to that web account, securing it.

To log in to the account, you type in your username and password as usual. Then the site will require the U2F token as a second factor to complete the log in. Your browser will display a message saying that the web site requests U2F approval. Click the button on your U2F token to approve the log in. Rather than requiring U2F every time you log in, a site might only require it when logging in from a new device, or once a month, or when taking a particular action.

A bad guy, even if they have obtained your username and password, cannot complete the log in, since the bad guy cannot get the secret key which is secured inside the U2F token. All three are required to log in: username, password, a button click on the registered U2F token.

Q: How Do I Buy a U2F token?

Just search your favorite web store for “U2F”. U2F is an open standard so many manufacturers make them. Yubico is perhaps the most prominent vendor (and was an important early part of the standard). Note that Yubico sells more expensive tokens that perform U2F and also other functions. The U2F-only tokens are the cheapest. It’s good to get a token that supports NFC as well as USB, given the way cell phones are taking over everything. Hopefully Apple will get their act together and support NFC soon.

Q: Background — What is 2FA?

Two-Factor (2FA) also known as “multi-factor authentication” requires a second thing to log in (not just an additional password). A common form is an app on your phone that displays a code number you type in as part of log in. The result is that an attacker who obtains the victim’s password (say by phishing) is still not able to log in. Even the simplest 2FA scheme greatly increases the security of an account. Here are some common 2FA schemes in addition to U2F:

SMS — the site sends a login code in an SMS message to your registered cell number. This form of 2FA is easy to set up, as you just associate your cell number. When you upgrade your phone, it still works. A high-profile problem here is that a motivated attacker can pretend to be you and convince your cell provider to port over your phone number, giving them access to the login codes (this requires a more-than-usual motivated attacker). Other problems with SMS 2FA are that it is susceptible to phishing, depends on the cell network, and is a bit of work since you have to type in the numbers.

OTP/TOTP — One Time Password systems, typically use an app on your phone which displays a code number you type in to log in. Also available in the form of a little plastic device that displays the number to type in. The nice thing about OTP/TOTP is that it’s a well established standard and there are many high quality implementations, such as Google Authenticator. The OTP app does not depend on your phone number or network connection, so that keeps it simple. One headache is that when you move to a new phone, you have to set it up again. Since the user types in the code, this is still susceptible to phishing, and has the work of typing the code. (Aside: there are also proprietary systems like Symantec VIP that are similar to TOTP. Ironically, Symantec has had security problems in its security software. For whatever reason, banks tend to support Symantec instead of standard TOTP.)

U2F — U2F is an improved form of 2FA. It uses a mathematical secret key isolated on a hardware token. Instead of typing anything, you click a button on the token to log in, so it’s very easy. Notably, it’s very resistant to phishing, so arguably it’s the most secure. It’s a new standard, so it’s not widely supported yet.

Q: What are the advantages of U2F compared to other types of 2FA?

  • U2F requires just a button click to log in instead of typing in a code. A study found it to cut 2/3’s of the time to log in: https://www.yubico.com/2016/02/use-of-fido-u2f-security-keys-focus-of-2-year-google-study/
  • U2F is highly resistant to phishing. With U2F, it’s nice that users don’t need to constantly check what URL is asking them to log in. The U2F device takes care of knowing the right site from the phishing site. Phishing is a huge source of account break ins, so 2FA technology that deals with phishing is an important step.
  • U2F can be plugged in to a malware-infested machine, and the login code remains safe (however the malware can cause many other problems outside U2F)
  • U2F does not depend on the cell network, so it works without connectivity, and is not susceptible to SMS type problems where a bad guy takes over your phone number
  • U2F is so secure, sites may eventually relax the rules of password complexity. You can just have a simple little password (or no password!), since the password is no longer the main thing in the way of the bad guys.
  • U2F is an open standard, so it’s easy for sites and vendors to support it (e.g. below is a report of Intel building U2F into computer hardware, so you don’t need to carry a token around)
  • U2F protects the privacy of users, not giving sites an id number to track users across sites.

Q: What are the disadvantages of U2F?

  • You have to carry around a token to complete your login. This is also what makes U2F secure — the bad guy can get your password, but they don’t have the secret key locked away in the U2F token, and the token can be locked down in a way that is difficult for a cell phone.
  • U2F is pretty new, so many sites do not support it as an option yet. U2F is most likely to be supported by sites that are technological leaders and where security is important (google, facebook, dropbox, github). The next time your bank is wasting your time with their multiple-step, insecure 2FA system, ask them why they don’t support U2F.
  • Only Chrome, Opera and (with an add on) Firefox support U2F currently.

Q: Can I Use U2F With My Phone or Tablet?

Currently, USB is the most common form of U2F and is not widely supported by phones. However wireless NFC and Bluetooth forms are just coming on the market and these work with phones and tablets.

NFC — U2F over NFC short range radio requires the user to touch the U2F token against the phone or computer to log in, which is maybe even easier than the button-click system. NFC is simple and does not require batteries, so NFC support can be added to a USB token pretty easily. Currently NFC only works on Android, as Apple blocks all non-Apple access to the NFC hardware.

Bluetooth — U2F data is also designed to be carried over Bluetooth. In that case, the user clicks the button on the token to log in, and log in approval is sent to the computer or phone wirelessly. Yubico reports that this is likely the easiest way to get U2F support on iPhones and some U2F tokens on Amazon claim this works now, but I haven’t tried it. Really, it would be nice for Apple to be a little more responsive here.

Q: What About U2F Support Built in To My Phone or Computer So There’s Nothing To Carry Around?

There are plans to add U2F support to laptop hardware directly (and it’s easy to imagine the same thing for phones). In that case, you will not need to cary a separate token, instead clicking a U2F button on your computer to approve log ins. With careful implementation, the U2F secret key can be isolated from the rest of the computer, remaining protected from malware on the computer (just as with a separate U2F token).

http://www.tomshardware.com/news/dropbox-kaby-lake-u2f-authentication,33324.html

Q: Can Web Sites Use U2F To Track Me?

No. A U2F token registers with a web site with a giant random number. Registering another time, it will use another giant random number. So there is no identifying ID for web sites to use. Enhancing privacy was a goal of the U2F standard, which is why the design works this way. There is one oddball case where a single web site can, with difficulty, figure out if two accounts share a token — see next question.

This also means that if the site itself is broken into, the attackers will just see a big random number for each U2F account, with no visible information linking it to a particular token.

Q: What happens if I lose my U2F token and someone else finds it?

This is a common concern about U2F! The short answer is that your account is still perfectly secure. And, surprisingly, the person who found the token can adopt it and use it to secure their accounts. Here is the long answer:

The U2F token physically looks like a USB storage key, but it does not store things in that way. With a U2F token in hand, there is no way to list out the accounts it secures. With the most common implementation strategy, no such list even exists. Instead, the token has a secret key locked in the token, and it uses this key to approve or reject a request from a web site. When a user tries to log in to a site, the site sends a specially formatted request to the token, which in turn approves or rejects the request. The details are complicated, but in particular, the token does not need to store a list of web sites or user names to perform its function.

Also, the U2F log-in scheme does not use a token-specific ID number. This is a deliberate choice to maintain privacy. Therefore, if someone finds a U2F token, they could use the token to secure their own accounts, and it would work fine without revealing anything that connects back to the original owner’s accounts. In normal operation (see exception below), sites will not detect that this is the same token used to secure another account. Or put another way, every registration by a token appears unique and unrelated to every other registration. This is why a new user can use a U2F token, and that use will not connect back to earlier uses of that token.

To log in to your account after finding your U2F token, the finder would need to know your account name, and your password, and have the U2F token. The U2F token by itself does practically nothing.

If you lose a U2F token, you can remove it from a site’s second-factor registered device list, removing the log-in capability from the web-site side (although to be clear, whoever has the token would need to know your username and password to log in to your account anyway).

Exception: there is one obscure way that a site can determine that two accounts use the same token, although it requires the site to do something deliberately weird. Suppose user A and user B both secure their accounts at example.com with the same U2F token. This works fine. Each registration by a token is identified by a giant random number, and there is no indication to the site what specific token or tokens produced these numbers. Therefore, the site cannot tell if users A and B are using the same token. BUT if when user A tries to log in, the site deliberately sends user B’s log in information, the token will approve the request, and in this way the site could conclude that A and B share a token. This requires the site to deliberately go outside the normal log in sequence, so it does not seem like scenario to worry about much. Note also that this is not some bad guy trying to break into a site, it is the site itself learning information about its users.

Q: Can someone make a copy of my U2F token?

Not easily. The U2F token has a secret key stored inside a hardware chip in the token specifically designed to make it very difficulty to access the key.

A motivated and well funded attacker, such as a government, might be able to get the secret key out of the U2F token given access to the token and enough time. For the ordinary attacks against accounts, U2F is extremely effective.

Q: Does the manufacturer of the key have access to my accounts?

No. The secret key used by the token to secure accounts is “minted” inside the token itself and never leaves the token. This is perhaps contingent on the token being designed and built properly. For the most security, buy a well known brand.

Q: How many sites can U2F support?

With the most common U2F token design, a single U2F token supports an unlimited number of sites and accounts. It is possible for a U2F token to have a limit on the number of accounts supported, but this is rare.

Q: Can a web site support multiple U2F tokens for an account?

Yes. The site needs to add support for multiple U2F tokens per account. The U2F tokens support this case by default. In fact, a second U2F token is an excellent “backup” method in case the main U2F token is lost. See next question.

Q: What if I lose my U2F token? Do I need a “backup” way to log in?

Yes, you will need a “backup” method to get in to your account in case you lose your U2F token (applies to any 2FA scheme really). The methods available depends on the web site. Here are some possible strategies:

a. Another U2F token — depending on the web site, an account can register multiple U2F tokens, and any one of them can log in. The user could keep a backup U2F token at home in case they lose their main one. This is probably the best, as registering a U2F token is just a couple clicks and you’re done. Label the backup token and put it away with your important papers. One token can backup tons of accounts without any problems.

b. Backup Login Codes — Google, for example, lets the user print out a few backup code numbers ahead of time which can be used to log in later if the U2F token is not available. One nice feature of the printed codes as they will still work even after you change phones.

c. OTP numbers. The account could have a One-Time-Password (OTP) phone app registered as a backup way to log in. It’s unfortunate that this will need to be updated each time the user changes their phone.

A risk here is that a very motivated attacker could, say, first interfere with the network connection so that U2F login gives an error message, forcing the victim to use the backup login method. Then the attacker uses phishing to defeat the backup login. This works because U2F is highly resistant to phishing, while other 2FA methods such as OTP codes are vulnerable to phishing. Still, if the user is vigilant about phishing when using a backup, these could work fine.

d. Cell phone number with SMS. A SMS login could work as a backup login. This is probably the worst option, as there are many instances where a motivated attacker convinced the cell-provider to redirect the phone number to the attacker’s phone, so they get the SMS login code.

Q: Is it really so bad if I use a not-very-secure technique like SMS as my backup?

Unfortunately, your backup login technique determines your overall security against a motivated attacker, like the weakest link in a chain. If you use, say, SMS as the backup technique, then an attacker can contact the site pretending to be you, claim the U2F token is lost, and then attack the not-so-secure backup technique. That said, most attacks are not that motivated.

Q: Do I need to use U2F for every account?

No. Email is good to secure, since password-resets for other accounts go through email, and gmail supports U2F. Other good accounts to secure are bank accounts, PayPal, EBay, anything to do with bitcoin, although most of these sites today only support less secure 2FA like SMS.

Editorial: It’s unfortunate that banks and other important sites are so slow to adopt security technologies. The sites should offer the option of secure 2FA such as U2F or OTP. I imagine they are balancing the costs of security problems for their users vs. the tech-support costs for the bank when users lock themselves out of their own accounts with 2FA snafus. (Update July-2017: I talked with a rep at the financial services company Vanguard, and they’re in the process right now of adding U2F. Vanguard is pretty technologically hip, so I guess that fits the pattern.)

Q: Can a bad guy tampering with my internet connection perform a man-in-the-middle (MITM) attack against U2F?

U2F is specifically designed to resist insecure-internet and MITM attacks. Foremost, the secret key at the core of the secure login does not leave the U2F token, and so is not exposed to the insecure network connection or malware on the host computer. Also, U2F leverages HTTPS certificates, the widely used technology that keeps a network connection secure even if the network itself is being tampered with.

However, successful attacks against HTTPS have happened in the past, so it’s hard to say that such an attack against U2F is impossible. In particular, if the attacker could control the HTTPS connection at the original registration moment, then the attacker could substitute their own U2F token credentials, and then maintain this ruse every other time the user logged in. As a practical matter, attacking HTTPS is very difficult, and U2F layers on additional difficulties, so this attack appears to be extremely challenging for the attacker.

Q: Suppose there is a machine that is infected with malware, and I plug my U2F token into the infected machine and use it to log in to a site. Can the malware make a copy of my U2F?

No, the malware infected machine cannot read or compromise your U2F token. The secret key never leaves the U2F token. The U2F token manages its own encryption, so it does not give control to the computer it is plugged in to. But there can be other problems with malware (see next question).

Q: Does U2F protect me from malware on my computer?

No. U2F solves the most common password and phishing problems, so that’s great. In particular, malware might discover a victim’s password, but the bad guys will still not be able to log in as that victim, since they don’t have the U2F token.

However, malware on the computer can still victimize the user. For example, malware could wait for the user to use U2F to log in and then the malware could copy or send emails using the victim’s machine, taking advantage of the fact that the user is logged in. U2F protects the moment of log in itself, but if the machine is compromised, many bad actions are possible once the log in is established. Or if the malware is present before U2F is used, the malware could tamper with the original U2F registration, telling the user their token has been used, but in reality using a token under the control of the bad guys.

The pattern here is that if there is malware on the computer in use, many bad things are possible which U2F cannot prevent.

For situations where security is extremely important, such as a bank officer controlling accounts, use a locked-down computer designed to avoid malware, such as a Chromebook. Chromebooks have a fantastic record of being malware-proof. Chromebooks also support U2F tokens, so the combination would have fantastic security.

Q: Does U2F work with any browser?

No, the browser needs support U2F. Chrome and Opera support it now. Mozilla is actively working on adding it to Firefox (and there’s an add-on that supports it today). Microsoft and Apple have not committed to support U2F, but there is W3C Web Authentication standard which will likely provide an umbrella standard in this area for browsers, including U2F. Microsoft has committed to implementing this standard in Edge, so they should get there eventually.

https://www.w3.org/TR/webauthn/

Q: Suppose I use U2F and a bad guy tries to phish me with a page at the url mail.grooogle.ru. What would happen when I visit that page?

When registered to an account, U2F records the domain to log in to, in this case mail.google.com. The phishing site can try to send a fraudulent log in request, and the user can click the button to log in, but the U2F token can detect that this request is not from the proper mail.google.com domain. This all is based on well-established, reliable cryptography used by U2F. The phishing site can trick the victim into typing in their password, but the U2F token is extremely difficult to fool, and no log in to gmail will result and the bad guys will not have enough to log in themselves.

If you visit a phishing site, probably the only sign that it’s phishing will be that the log in will not succeed. So if you are trying to log in clicking the U2F button and nothing is happening, think very carefully about what site you are really looking at.

Q: Can I build My Own U2F Token?

Surprisingly the answer is yes! As a neat exercise, Conor Patrick figured out the hardware and software steps needed to make your own U2F token. For a while he sold them as “U2f Zero” keys just for fun, but no doubt the effort making and shipping them was kind of high so now he just publishes the instructions. That this is possible is a reflection that U2F is a relatively simple, single-function technology, which is also why it is secure.

https://u2fzero.com/

Q: Where Can I Get More Information About FIDO U2F?

The FIDO alliance publishes detailed information about U2F and their other standard efforts. Download the latest U2F spec here:

https://fidoalliance.org/download/

Q: What about “push”/2SV phone authentication ?

U2F is a great standard for the niche where there’s a little device and the secret key is kept inside the device. This is a fundamentally sound approach to 2FA providing the highest security.

Another very new category of 2FA features a prompt popping up on the users’s cell phone. The user types their password to the site as usual, and then a “Yes That’s Me Logging In” button pops up on the user’s cell phone to approve the log in. This is so new it barely exists, but it’s a promising direction.

Unlike U2F, this depends on the cell phone and its own network connection. The company DUO security sells a product that does this, and “Google Prompt (2SV)” offers something similar, but only for google accounts. (I’m calling this “push” but I don’t think there’s really an agreed on term for it yet.) To become widespread, something like this would need to become an open standard like FIDO U2F, not just locked to the implementation of one company. You don’t want to have to install and maintain a separate push-login app on your phone for every site you log in to, just to name one nightmarish scenario. The security of these cell phone schemes is little iffy compared to U2F, but should be fine for regular users and very convenient.

https://support.google.com/accounts/answer/7026266

Q: Why Did you Create This FAQ?

Hi, I’m Nick Parlante. I teach intro computer science at Stanford, and lecturing about security in that class has highlighted how badly the world needs something better than passwords. I like that U2F is a standard and puts the security smarts in the device instead of asking users to use super complicated passwords or whatever.

Please email any comments, corrections or suggestions with “u2f” in the subject line.

http://cs.stanford.edu/people/nick/ — Nick’s Stanford home

http://cs101-class.org — free online version of Nick’s introductory CS101 course

Show your support

Clapping shows how much you appreciated Nick Parlante’s story.