Authereum Now Supports Hardware Security Keys for Two-Factor Authentication (2FA)

Improving Security

In addition to time-based one-time passwords (TOTP) software tokens (ie 2FA tokens on Google Authenticator), Authereum added support for FIDO U2F security keys using the recently approved by the W3C WebAuthn API standard.

This means that you can use a hardware FIDO U2F supported devices such as a YubiKey, Google Titan key, Ledger Nano, or Trezor as supplemental authentication in order to login to your account.

Why this matters

Good authentication security requires a combination of the following 3 strategies:

1. “Something you know “— Password, security questions, personal information, etc.
2. “Something you have” — Security key (Yubikey, Smartcard, Ledger Nano, etc.), software key (HOTP/TOTP), SMS, email, etc.
3. “Something you are” — Biometrics (Touch ID, Face ID, etc.)

Username and password logins can be augmented with something you have like a software-based one-time token or hardware-based key attesting that it is you. We encourage all of our users to enable 2-factor authentication to secure their accounts since it adds a second layer of authentication to the login process. Authereum doesn’t support SMS based 2-factor authentication because it’s vulnerable to SIM-swapping attacks.

Hardware security devices are stronger mechanisms for security because it’s something you carry with you while software tokens may be compromised if a sophisticated attacker remote gains access to a weakly secured device or app where you’re storing the TOTP secret and generating the one-time tokens.

How it works

First the user must verify their device (known as the authenticator) with the website server (known as the Relaying Party in the WebAuthn specification).

This requires a registration process involves the following:

1. The user requests a challenge from the relaying party.
2. The user signs the challenge with their security key creating a signature.
3. The browser sends the credential object to the relaying party server which includes the signature, public key, rollback counter, signed origin, and credential ID.
4. The relaying party verifies that the signed data matches the challenge it sent.
5. The relaying party stores the credential, public key, and rollback counter in their database. The rollback counter is to prevent replay attacks. The public key is from the generated key pair for this single credential. A new credential is generation for every website.

Now that the device is registered with the relaying party, the verification process such as when logging in looks like the following:

1. The user authenticates with standard login credential with the relaying party and the server returns the credential ID for the user along with a new challenge.
2. The user plugs in the device which has to match the credential ID. If it does, then the user proceeds to sign the challenge with the device key which generates a signed assertion.
3. The assertion is sent to the relaying party where it is then verified against the challenge and stored public key tied to the credential ID.
4. If all this passes then the server continues with the login process.

Overview of the assertion process:

High-level overview of WebAuthn process

Benefits

Verification using security keys provides additional detection of attacks, for example:

• If challenge verification fails, then a MITM attack was attempted.
• If the origin check fails, then a phishing attack was attempted.
• If the rollback counter is the same, then a replay attack was attempted.
• If the signature verification fails, then a MITM or replay attack was attempted.
• Verifying metadata statements against metadata service fails, then the authenticator manufacture is not FIPS/CC or FIDO certified meaning that it could be tampered device.

In short, hardware security keys provide good protection against phishing attacks because the website origin is part of the attestation and can’t be altered since it’s baked into the WebAuthn API specification implemented at the browser level.

Enabling Security Keys

To enable hardware security keys for your account, follow these steps:

1. Login to Authereum and head over to the Settings page.

2. From the Settings page click on the 2FA tab and then the Security Keys sub-tab.

3. Plug in your hardware device and click Authenticate.

4. Verify the device by tapping or pressing the confirm button on your key.

5. Enter a name label so you can identify your device.

All set! You’ll be prompted for to verify via the security device when you login now.

Setting up security key

Compatibility

At the time of this writing, the browsers that support the FIDO/U2F web authentication (WebAuthn) API are Chrome, Opera, Firefox, and Android browsers. Safari and iOS are not currently supported. Check out the compatibility table here.

Future Work

We’re exploring ways that we can utilize the WebAuthn API and hardware keys to the fullest, such as the use of hardware devices for account recovery. As an example, a user who forgets their password can add an additional authorized account keys to their contract-based account by creating an attestation with their security key and having it verified on-chain which will allow them to add new account keys.

We’ll also be adding the option to approve transactions using your security key when using dapps, or when a certain transfer amount limit and requires additional verification.

Conclusion

Requiring a device to be physically plugged in provides higher level of security and Authereum is one of the first Ethereum login-based wallets to support FIDO U2F hardware keys in addition to software-based 2FA tokens.

Please follow us on Twitter @authereum and subscribe to our newsletter for future updates.

Thanks for reading!