FIDO U2F Security Keys

How is a FIDO U2F security key different from password?

How do FIDO U2F security keys protect against phishing emails?

How FIDO U2F security keys work for users

Benefits of using FIDO U2F security keys

You’re likely familiar with two-factor authentication (2FA) from the use of a bank card and a PIN, using two sets of data to perform a transaction.  In accessing accounts online, you may also be familiar with two-factor authentication (2FA) in the form of a one-time-use code texted to your phone, required for submission and successful login to an account. However, the most secure version of two-factor authentication (2FA) is a physical security key that serves the same purpose as a PIN or texted code instead. 

This physical key is what is referred to with the term FIDO U2F Security Key or spelled out, Fast ID Online Universal 2nd Factor Security Key.   FIDO U2F Security key is an ID authentication standard that uses one physical key for logging into multiple online services simplifying while elevating the security provided by two-factor authentication (2FA).  

You don’t need any special technical skills to use a FIDO Security Key and after a one-time initial setup with the online service, the steps for use are:

1. At the online service user’s login just as before 
2. Users insert their FIDO Security key into an available USB port on the computer. 
3. Login is confirmed & successful instantly.

With a FIDO U2F security key set up with an online account, no one can access the account unless they have both the password and possession of the physical key itself.  By authenticating users’ identities prior to their accessing the network, FIDO U2F security keys protect server resources, applications and data against unauthorized access. FIDO U2F security keys are compatible with most of the online services that people use, including:

• Google, Facebook, Gmail, Microsoft, Dropbox, Github, Salesforce and many more.
• Windows, Mac OS, Linux, Chrome, Firefox, and Edge 
• Any Android / iOS platforms with Bluetooth v4. 0+, and with essentially any software supporting U2F protocol allowing enhanced security.  

________________________

Identity theft due to data breaches are critical concerns for most organizations today.  Just this month, June 2023, the Oregon Driver and Motor Vehicle Services confirmed an estimated 3.5 million driver’s license and identification card files were compromised when the agency was hacked.  “What we’re saying is if you have a Oregon driver’s license ID permit driver’s permit, you can assume that that data associated with that credential has been compromised.” – June 18, 2023 Oregon Live

As security experts we advise everyone to protect their online accounts with a FEITIAN FIDO security key thereby achieving U2F two-factor authentication. Just as you use a key to lock your car or front door, similarly a FEITIAN FIDO U2F security key locks your online accounts which are just as vulnerable, valuable and need the protection. On this page we explain why a FIDO security key is essential and how it works.

________________________

FIDO security keys are an easy-to-use experience for newcomers and an effective way to protect both users and organizational assets when passwords alone aren’t sufficient protection.

Click here to learn why the FEITIAN ePass FIDO® Series Security Key presents the best combination of security, flexibility and value in FIDO® U2F security keys.   

FEITIAN ePass FIDO2 FIDO U2F USB-C + NFC Security Key | K40

For wireless applications, FEITIAN ePass FIDO® -NFC and MultiPass FIDO® Security Key (K40 above) are devices to go beyond the traditional two-factor authentication systems, the built-in Bluetooth (BLE, MultiPass FIDO® only), NFC, and USB communication options empower users with flexibility in achieving secure FIDO® U2F authentication including wirelessly smartphones, tablets, notebooks and desktops. 

How is a FIDO U2F security key different from password? 

Your standard login credentials including password starts the process, but the physical key is required for access to the account.   Standard password verification is based on personal knowledge, typically a sequence of letters, numbers or symbols. However, FIDO U2F verification adds a detail and requirement based on what a person physically has in their possession, the FIDO U2F security key. It creates an added layer of security, an encrypted device unable to be hacked, hijacked, phished, or spoofed.  It’s a more fool-proof way of confirming identity and best described by Google. 

“Security Keys are mandatory at Google; they provide superior protection against phishing not possible with many alternative two factor authentication solutions.”  – Christiaan Brand, Product Manager for Security and Identity at Google, eWeek.

How do FIDO U2F security keys protect against phishing emails? 

U2F hardens your credentialing for login, which assures no one can hijack your online accounts – and that includes phishing attacks even if the scammer obtains your password.  With a FIDO U2F security key activated, user login is bound to the origin and or holder of the key, thereby rendering your password useless to the scammer. Similar to how physical keys protect entry to homes, the same applies to FEITIAN FIDO U2F security keys protecting entry to online accounts from phishing attacks. 

Imagine a FIDO U2F security key just like a hotel room key.  When checking in at a hotel, the front desk person codes your key (a physical card) to your room and hands it to you.  Upon inserting that key into the room’s front door handle slot, the data on the key communicates with the locking system that you are authorized to enter the room.  FIDO security keys work in the same way in making online access to your accounts only possible if you are in possession of the physical coded key.

How FIDO U2F security keys work for users  

Users of a FIDO U2F Security Key can activate all their online accounts with the same security key providing the account supports the U2F Protocol.  Initial set up can vary from service to service (Google, Facebook, Gmail, Dropbox, Github, Salesforce) but once configured, the next steps are the same and no different than prior to the new added layer of security.  You simply login with your standard credentials, insert your FIDO Security key into an available USB drive, and an indicator light on the physical key will flash signaling you that you only need to touch a button on the key to access your account online.  Using FIDO U2F Security Keys as a process looks like this:

• The FIDO U2F Security key applies asymmetric cryptography or the ability to generate a software keypair. A keypair is a combination of a public software key that encrypts data and a private software key that decrypts data – protecting online accounts from unauthorized access or use. The private key is securely stored on the FIDO Security key, and never shared, while the public key gets registered with the service and resides on their server.

• In registering your FIDO U2F Security key with an online service, the key sends an encrypted public key and an accompanying ‘key handle’ (an identifier of a specific public key on the FIDO U2F security key plugged into a USB drive), to the online service where it resides on their server. The public key and key handle are used to verify the authentication request from the FIDO U2F Security key whenever it is placed in a USB drive and a login is attempted. With set up complete, a user can log into their chosen service online using their credentials recognized by the site as usual and going forward.

• Assuming the standard login credentials are valid, the user now logs in with the FIDO U2F Security key inserted in an available USB drive.  After validated routine login the online service initiates U2F authentication by sending the originated key handle identifier back to the FIDO Security key plugged into the USB drive via the browser.   

• The FIDO U2F Security key receives the key handle from the online service and uses it to identify the matching private key encrypted in it.   Once the matching private key is identified, the FIDO U2F Security key creates a digital signature which is sent back through the browser to the online service to verify its presence.  The very next instant the FIDO U2F Security key flashes a green indicator light signaling a ‘match pairing’ of encryption and decryption is recognized by the online service, authentication has been achieved, and you have access to your account with that service. The user presses a button on the FIDO U2F security key to finalize the connection and access to the account.  (This is a detailed walkthrough of what transpires in the blink of an eye)

The FIDO U2F Security key works immediately upon registration with the service, due to native support for operating systems and browsers, enabling instant authentication going forward.  Entering or rewriting any codes, installing any drivers, memorizing or any additional applications is not required in using the key.  FIDO security keys can’t be cloned, as the private data on the key can’t be extracted. Most FIDO security keys aren’t Bluetooth enabled; thus no maintenance or batteries are required. 

If a FIDO U2F Security key is lost, so too is the ability to login to the services and apps that were originally configured and secured with the lost key.   For this reason, it’s prudent to register multiple hardware keys, with one or two serving as a back-up measure ensuring you can still login into your accounts (with one of registered back-up keys).  Note different online services provide different solutions for key recovery so check with your online service about their security key recovery protocol.   Having said this, the economic cost of FEITIAN ePass FIDO® Series Security Keys make keeping a few back-up keys nearby as the sensible and time efficient route to go in managing the risk of a potentially lost key.

Benefits of using FIDO security keys 

FIDO U2F Security keys enable you to solve complex identity access management and security challenges, at scale, without friction, at multiple different locations for workforces, student populations, customer bases, and organization/group members of all types.  Whether you’re modernizing a legacy authentication system, automating an HR joiner-mover-leaver process, or meeting insurance requirements, FIDO U2F Security keys resolve identity and access management challenges connecting all of your users to their apps, infrastructure, and APIs, no matter whether they are, in the cloud or IT infrastructure hardware and software applications that are hosted on-site. FIDO U2F Security keys:

• Allows users to create and fully control their online identities including having multiple identities across different online services, without any personal information tied to the identity.  Asymmetric cryptography or the ability to generate a combination of a public software key that encrypts data and a private software key that decrypts data – does not involve any personal information and does not create any links between different accounts or servers the user may have. 
• Allows to augment the enterprise online security cost and reduces resources consumption on support issues and is an identity access management solution immediately deployable and scalable within an organization’s ecosystem.  In addition to introducing significant risk, passwords are also a major direct cost.  Research indicates employees reach out to a help desk to resolve password problems up to 10 times per year, with each reset costings $40-50. Additionally, there’s a loss of productivity cost until such time that the employee is able to successfully log back into the system and continue working. FIDO authentication eliminates these costs along with the productivity disruption and overall incident response costs connected with identity and credential-based attacks.
• Satisfies privacy and security objectives of organizations allowing employees and group members to use their personal devices to get work done and supports ‘bring your own device’ & remote work protection policy for an enterprise or university. Users simply have to get their FIDO U2F Security key registered with the server and use it once to get connected to online services.  
• Achieves passwordless authentication and users no longer have to come up with strong password concerns as the FIDO U2F Security keys cannot be easily hacked easily or tampered and are very protective against any downside attack.  Passwords remain the greatest risk to online security. Stolen credentials account for 80% of online attacks and 50% of online data breaches.  Removing passwords from identity authentication hardens security defenses and reduces vulnerability to scammers phishing and other attacks on users.
• Achieve compliance with regulatory standards as FIDO U2F Security key authentication on most parameters exceeds  governmental and industry cybersecurity standards, such as NIST 800-63B and PSD2.  Additionally, FIDO U2F Security key authentication is endorsed by CISA (Cybersecurity and Infrastructure Security Agency) and OMB government agencies reflects it’s strong standing as an accepted best practice for other regulatory compliances like HIPAA or PCI-DSS.

Click here to learn why the FEITIAN ePass FIDO® Series Security Key presents the best combination of security, flexibility and value in FIDO® U2F security keys.   For wireless applications, FEITIAN ePass FIDO® -NFC and MultiPass FIDO® Security Key are devices to go beyond the traditional two-factor authentication systems, the built-in Bluetooth (BLE, MultiPass FIDO® only), NFC, and USB communication options empower users with flexibility in achieving secure FIDO® U2F authentication including wirelessly smartphones, tablets, notebooks and desktops.