What is U2F

BLUF • technical

Submitted by Nigel Whitfield, 20 January 2019

 

Index

This one's going to get a bit technical - but I believe it's important that we all protect our online accounts, not just for ourselves, but because of the information about other people that could be exposed if someone else gets into our own account. On sites like BLUF or Recon, remember it's not just your privacy you're protecting - it's all the other people who's private messages to your, or intimate profiles could become visible if your account is taken over.

So, keeping secure online is important, and one way of doing that is with a “second factor” - something that you have, which is used alongside a password. For some web sites, that’s done by sending a text to your mobile phone. Others use an app on your phone to generate a number. The idea is that even if someone knows your password, unless they also have your phone, they can’t get into your account.

U2F stands for Universal 2nd Factor, and is an industry standard (from an organisation called FIDO) for devices that create a unique cryptographic signature when triggered. Typically, they take the form of a small USB key that plugs into your computer, but there are also some designed to work with the contactless functions of a mobile phone, or via Bluetooth.

With U2F, you don’t have to type in a number - you simply touch the button on your U2F device, or tap it against the back of your phone, to confirm to a website that you have it with you. It’s quicker and simpler than entering codes, and more secure.

U2F is available in the Chrome browser for Windows and Mac, and in the latest versions of Firefox, where you have to enable it manually

You can already use U2F to protect your account on sites like Twitter, Facebook, Gmail, Dropbox and Github, and we’ve now added support to BLUF (for admins now, and other users soon). This allows extra protection against unauthorised logins, or changes to your account. All you need is a U2F key - and those can be bought for as little as £5.

We’ve tested the features on BLUF with the U2F devices listed below.

Yubico Security Key

This key only supports U2F, and is made by the people who created the standard. It’s simple to use, but only works via USB. Around £25-29

Yubikey NEO

If you use LastPass, this Yubikey is the best choice, as it work with both U2F and with Yubico’s own standard. It also includes NFC, so can work the with Chrome browser on Android phones by tapping on the back of your phone. It should work with iPhone 7 and above in LastPass, though we have not been able to test that. Around £45.

Feitian ePass Fido-NFC

If you’re on a budget and want a key that will work with both desktop and mobile devices, this is a good choice. It has NFC for use with Android phones, and plugs into your computer via USB. Around £18

Key-ID Fido U2F Security Key

This is one of the cheapest security keys we’ve found. Just plug it into your USB port and tap the button when it flashes. Around £8

HyperSecu HyperFido Mini

This appears to be exactly the same as the Key-ID key, except a different colour, and is presently the cheapest available U2F key we can find. Around £5

Got a modern PC with USB-C ports?

You can buy a Yubikey with a USB C connector, like the 4C but they’re not cheap. Instead, you could simply use a small USB-C to USB-A adaptor like these with something like the Key-ID or HyperSecu keys.

Links in this article will generate affiliate fees