U2F is a new standard for universal two-factor authentication tokens. These tokens can use USB, NFC, or Bluetooth to provide two-factor authentication across a variety of services. It’s already supported in Chrome, Firefox, and Opera for Google, Facebook, Dropbox, and GitHub accounts.
This standard is backed by the FIDO alliance, which includes Google, Microsoft, PayPal, American Express, MasterCard, VISA, Intel, ARM, Samsung, Qualcomm, Bank of America, and many other massive companies. Expect U2F security tokens to be all over the place soon.
Something similar will become more widespread soon with the Web Authentication API. This will be a standard authentication API that works across all platforms and browsers. It will support other authentication methods as well as USB keys. The Web Authentication API was originally known as FIDO 2.0.
Two-factor authentication is an essential way to protect your important accounts. Traditionally, most accounts just need a password to log in—that’s one factor, something you know. Anyone who knows the password can get into your account.
Two-factor authentication requires something you know and something you have. Often, this is a message sent to your phone via SMS or a code generated via an app like Google Authenticator or Authy on your phone. Someone needs both your password and access to the physical device to log in.
But two factor authentication isn’t as easy as it should be, and it often involves typing passwords and SMS messages into all the services you use. U2F is a universal standard for creating physical authentication tokens that can work with any service.
If you’re familiar with Yubikey—a physical USB key that allows you to log into LastPass and some other services—you’ll be familiar with this concept. Unlike standard Yubikey devices, U2F is a universal standard. Initially, U2F was made by Google and Yubico working in partnership.
Currently, U2F devices are usually small USB devices that you insert in your computer’s USB port. Some of them have NFC support so they can be used with Android phones. It’s based on existing “smart card” security technology. When you insert it into your computer’s USB port or tap it against your phone, the browser on your computer can communicate with the USB security key using secure encryption technology and provide the correct response that lets you log into a website.
Because this runs as part of the browser itself, this gives you some nice security improvements over typical two-factor authentication. First, the browser checks to ensure it’s communicating with the real website using encryption, so users won’t be tricked into entering their two-factor codes into fake phishing websites. Second, the browser sends the code directly to the website, so an attacker sitting in between can’t capture the temporary two-factor code and enter it on the real website to gain access to your account.
The website can also simplify your password—for example, a website might currently ask you for a long password and then a two-factor code, both of which you have to type. Instead, with U2F, a website could ask you for a four-digit PIN you have to remember and then require you to press a button on a USB device or tap it against your phone to log in.
The FIDO alliance is also working on UAF, which requires no password. For example, it might use the fingerprint sensor on a modern smartphone to authenticate you with various services.
You can read more about the standard itself on the FIDO alliance’s website.
Google Chrome, Mozilla Firefox, and Opera (which is based on Google Chrome) are the only browsers that support U2F. It works on Windows, Mac, Linux, and Chromebooks. If you have a physical U2F token and use Chrome, Firefox, or Opera, you can use it to secure your Google, Facebook, Dropbox, and GitHub accounts. Other big services don’t yet support U2F.
U2F also works with the Google Chrome browser on Android, assuming you have a USB key with NFC support built in. Apple doesn’t allow apps access to the NFC hardware, so this won’t work on iPhones.
While current stable versions of Firefox have U2F support, it’s disabled by default. You’ll need to enable a hidden Firefox preference to activate the U2F support at the moment.
Support for U2F keys will become more widespread when the Web Authentication API takes off. It will even work in Microsoft Edge.
You just need a U2F token to get started. Google directs you to search Amazon for “FIDO U2F Security Key” to find them. The top one costs $18 and is made by Yubico, a company with a history of making physical USB security keys. The more expensive Yubikey NEO includes NFC support for use with Android devices.
You can then visit your Google Account settings, find the 2-step verification page, and click the Security Keys tab. Click Add a Security Key and you’ll be able to add the physical security key, which you’ll need to log into your Google account. The process will be similar for other services that support U2F—check out this guide for more.
This isn’t a security tool you can use everywhere yet, but many services should eventually add support for it. Expect big things from the Web Authentication API and these U2F keys in the future.