Universal 2nd Factor

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
A U2F Security Key by Yubico
FIDO certified U2F identity credential with USB interface

Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards.[1][2][3][4][5] While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.[6][7]

U2F Security Keys are supported by Google Chrome since version 38[2] and Opera since version 40. U2F security keys can be used as an additional method of two-step verification on online services that support the U2F protocol, including Google,[2] Dropbox,[8] GitHub,[9] GitLab,[10] Bitbucket,[11] Nextcloud,[12] Facebook[13] and others.[14]

Chrome, Firefox and Opera were, as of 2015, the only browsers supporting U2F natively. Microsoft has enabled FIDO 2.0 support for Windows 10's Windows Hello login platform.[15] Microsoft Edge[16] browser gained support for U2F in the October 2018 Windows Update. Microsoft accounts, including Office 365, OneDrive and other Microsoft services, do not yet have U2F support. Mozilla has integrated it into Firefox 57, and enabled it by default in Firefox 60[17][18][19][20] and Thunderbird 60.[21] Microsoft Edge starting from build 17723 support FIDO2.[22]

The USB devices communicate with the host computer using the human interface device (HID) protocol, essentially mimicking a keyboard.[23] This avoids the need for the user to install special hardware driver software in the host computer, and permits application software (such as a browser) to directly access the security features of the device without user effort other than possessing and inserting the device. Once communication is established, the application exercises a challenge–response authentication with the device using public-key cryptography methods and a secret unique device key manufactured into the device.[24] The device key is secured against duplication by a degree of social trust in the commercial manufacturer, and logically secured against reverse-engineering or counterfeiting by the robustness of the encryption and physical possession.

See also[edit]


  1. ^ Turner, Adam (November 5, 2014). "Google security keys may offer extra layer of online protection". The Sydney Morning Herald. Fairfax Media. Retrieved November 28, 2014.
  2. ^ a b c "What browsers support U2F?". Yubico. Archived from the original on August 18, 2017. Retrieved August 17, 2017.
  3. ^ Bradley, Tony (October 21, 2014). "How a USB key drive could remove the hassles from two-factor authentication". PCWorld. IDG Consumer & SMB. Retrieved November 28, 2014.
  4. ^ "FIDO Universal 2nd Factor". Yubico AB. Retrieved November 28, 2014.
  5. ^ Diallo, Amadou (November 30, 2013). "Google Wants To Make Your Passwords Obsolete". Forbes. Forbes.com LLC. Retrieved November 28, 2014.
  6. ^ "FIDO Alliance – download specifications". FIDO Alliance. Retrieved October 19, 2017.
  7. ^ Krebs, Brian (October 14, 2014). "Google Accounts Now Support Security Keys". Krebs on Security. Retrieved November 28, 2014.
  8. ^ Heim, Patrick; Patel, Jay (August 12, 2015). "Introducing U2F support for secure authentication". Dropbox Blog. Retrieved August 12, 2015.
  9. ^ Olsen, Risk (October 1, 2015). "GitHub supports Universal 2nd Factor authentication". github.com/blog. GitHub. Retrieved October 1, 2015.
  10. ^ Nwaigwe, Amara (June 22, 2016). "Support for Universal 2nd Factor Authentication". GitLab Blog. Retrieved July 9, 2016.
  11. ^ Kells, TJ (June 22, 2016). "Universal 2nd Factor (U2F) now supported in Bitbucket Cloud". Bitbucket Blog. Retrieved June 22, 2016.
  12. ^ "Nextcloud 11 sets new standard for security and scalability". Nextcloud. Retrieved 23 December 2016.
  13. ^ "Security Key for safer logins with a touch". Facebook. Retrieved 27 January 2017.
  14. ^ "USB-Dongle Authentication". Josh Davis. Retrieved 22 February 2017.
  15. ^ Ingalls, Dustin (February 13, 2015). "Microsoft Announces FIDO Support Coming to Windows 10". Windows Blog. Retrieved October 3, 2015.
  16. ^ "Microsoft Edge now supports passwordless sign-ins". Engadget. Retrieved 2018-10-04.
  17. ^ "Firefox 57 has native support for U2F". Mozilla. Retrieved November 1, 2017.
  18. ^ "U2F Support Addon". Retrieved May 8, 2016.
  19. ^ "Firefox Nightly enables support for FIDO U2F Security Keys". Yubico blog. Retrieved September 27, 2017.
  20. ^ "Firefox 60.0 release notes". Retrieved May 11, 2018.
  21. ^ "Thunderbird 60.0 release notes". Retrieved June 22, 2018.
  22. ^ "Introducing Web Authentication in Microsoft Edge — Microsoft Edge Dev BlogMicrosoft Edge Dev Blog". blogs.windows.com. Retrieved 2018-08-03.
  23. ^ "FIDO U2F HID Protocol Specification". FIDO Alliance. October 9, 2014. Retrieved July 24, 2018.
  24. ^ "Key generation". Yubico. Retrieved 31 July 2018.