U2F Explained: How Google and Other Companies Are Creating a Universal Security Token

U2F is a new standard for universal two-factor authentication tokens. These tokens can use USB, NFC, or Bluetooth to provide two-factor authentication across a variety of services. It’s already supported in Chrome for Google, Dropbox, and GitHub accounts. Microsoft is working on implementing it in Edge.

This standard is backed by the FIDO alliance, which includes Google, Microsoft, PayPal, American Express, MasterCard, VISA, Intel, ARM, Samsung, Qualcomm, Bank of America, and many other massive companies. Expect U2F security tokens to be all over the place soon.

What Is it?

Two-factor authentication is an essential way to protect your important accounts. Traditionally, most accounts just need a password to log in — that’s one factor, something you know. Anyone who knows the password can get into your account.

Two-factor authentication requires something you know and something you have. Often, this is a message sent to your phone via SMS or a code generated via an app like Google Authenticator on your phone. Someone needs both your password and access to the physical device to log in.

But two factor authentication isn’t as easy as it should be, and it often involves typing passwords and SMS messages into all the services you use. U2F is a universal standard for creating physical authentication tokens that can work with any service.

If you’re familiar with Yubikey — a physical USB key that allows you to log into LastPass and some other services — you’ll be familiar with this concept. Unlike standard Yubikey devices, U2F is a universal standard. Initially, U2F was made by Google and Yubico working in partnership.

How Does It Work?

Currently, the kind of U2F device you’d by is a small USB device that you insert in your computer’s USB port. It’s based on existing “smart card” security technology. (In the future, U2F devices will support NFC and Bluetooth for wireless two-factor authentication with mobile devices.) When you insert it, the Chrome browser on your computer can communicate with the USB security key using secure encryption technology and provide the correct response that lets you log into a website.

Because this runs as part of the browser itself, this gives you some nice security improvements over typical two-factor authentication. First, the browser checks to ensure it’s communicating with the real website using encryption, so users won’t be tricked into entering their two-factor codes into fake phishing websites. Second, the browser sends the code directly to the website, so an attacker sitting in between can’t capture the temporary two-factor code and enter it on the real website to gain access to your account.

The website can also simplify your password — for example, a website might currently ask you for a long password and then a two-factor code, both of which you have to type. Instead, with U2F, a website could ask you for a four-digit PIN you have to remember and then require you to press a button on a USB device to log in.

The FIDO alliance is also working on UAF, which requires no password. For example, it might use the fingerprint sensor on a modern smartphone to authenticate you with various services.

You can read more about the standard itself on the FIDO alliance’s website.

Where is It Supported?

Currently, Google Chrome is the only browser that supports U2F. It works on Windows, Mac, Linux, and Chrome OS. If you have a physical U2F token and use Chrome, you can use it to secure your Google, Dropbox, and GitHub accounts — other big services don’t yet support U2F. However, we’re sure to see more and more services support U2F in the future given how many huge companies are backing it.

This isn’t just a Google system, though. Microsoft is working on adding U2F support to the Edge browser in Windows 10. Mozilla is discussing adding it to Firefox.

How You Can Use It

You just need a U2F token to get started. Google directs you to search Amazon for “FIDO U2F Security Key” to find them. The top one costs $18 and is made by Yubico, a company with a history of making physical USB security keys.

You can then visit your Google Account settings, find the 2-step verification page, and click the Security Keys tab. Click Add a Security Key and you’ll be able to add the physical security key, which you’ll need to log into your Google account. The process will be similar for other services that support U2F.


This isn’t a security tool you can use everywhere yet, but many services should eventually add support for it. Expect big things from U2F in the future.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.