In this second part of the Yubikey blog series we will deep dive into 2FA:

2FA (2 Factor Authentication) is a security process which adds an additional layer of security into online accounts and authentication mechanisms. To authenticate that you are who you claim to be, there are three factors:

  1. You know something (password)
  2. You have something (a security card)
  3. You are something (biometrics – faceID, fingerprint)

The 2FA is typically used because you have something that you can prove belongs to your persona. This something can be your mobile phone, your email address and even a security card.

Having this added security layer helps to prevent account takeover attacks, however, some types of 2FA methods are stronger and more reliable compared to other ones. There are a variety of 2FA methods, the most common ones are:

  • Verification code send via SMS (Short Message Service)
  • Verification code send via email
  • Verification process via phone call
  • Mobile applications like Google Authenticator, Microsoft Authenticator and Authy

These authentication methods using 2FA can be semplified with the following graph:

%%{ init: { 'theme': 'base', 'themeVariables': { 'primaryColor': '#512163', 'primaryTextColor': '#fff', 'primaryBorderColor': '#a812e0', 'tertiaryColor': '#fff' } } }%% sequenceDiagram Service ->> User: Enter username and password User ->> Service: Send credentials Service ->> Service: Verify credentials Service ->> Service: Generate 2FA code Service ->> User: Send 2FA code User ->> Service: Enter 2FA code Service ->> Service: Verify 2FA code

As you can see, the above process is susceptible to security weaknesses and flaws. For example:

  • The 2FA code could be intercepted in the wire and vulnerable to Man-In-The-Middle attacks.
  • The shared secret used to generate the one-time-password could be stored in plaintext on the server. If a threat actor gains access to this shared secret, the one-time-passwords can be generated easily.
  • In many cases, these tokens are limited in time. You have a short period of time to manually insert the code. This can be prone to mistyping and errors.
  • How can you verify that the service who sends you the 2FA code is who it claims to be? Emails and SMS senders can be easily spoofed.

To fix some of these flaws, the FIDO U2F (Fast Identity Online Universal 2nd Factor) standard was developed. Initailly the project was headed by Google and Yubico, with the contribution from NXP Semiconductors, however now the project is an open standard hosted by FIDO Alliance. The FIDO U2F simplifies the 2FA process using Universal Serial Bus (USB) or near-field communication (NFC) and strengthens the process using public and private key encryption.

Below a graph to showcase how FIDO U2F works:

The first step is to store the public key on the server.
This step is done only once for each service where you want to activate FIDO U2F.

%%{ init: { 'theme': 'base', 'themeVariables': { 'primaryColor': '#512163', 'primaryTextColor': '#fff', 'primaryBorderColor': '#a812e0', 'tertiaryColor': '#fff' } } }%% sequenceDiagram Service ->> User: Register security key User ->> Key: Insert key Key ->> Key: Generate public and private keys Key ->> Service: Send public key Service ->> Service: Store public key

Once the public key is stored, each time you try to log into the service. The following actions are performed.

%%{ init: { 'theme': 'base', 'themeVariables': { 'primaryColor': '#512163', 'primaryTextColor': '#fff', 'primaryBorderColor': '#a812e0', 'tertiaryColor': '#fff' } } }%% sequenceDiagram Service ->> User: Log in Service ->> Key: Send challenge Key ->> Key: Sign challenge Key ->> Service: Send signed challenge Service ->> Service: Verify signature User ->> Service: Approve transaction Service ->> Key: Send transaction Key ->> Key: Sign transaction Key ->> Service: Send signed transaction Service ->> Service: Verify signature

FIDO U2F uses public key cryptography to authenticate users. When a user registers their security key with an online service, the key generates a pair of public and private keys. The public key is stored on the service’s servers, while the private key is stored on the security key itself.

During authentication, the service generates a challenge and sends it to the security key. The security key signs the challenge using its private key and sends the signed challenge back to the service. The service verifies the signature using the public key, which ensures that the response came from the correct security key.

This process improves and strengthens the 2FA process. Man-in-the-middle attacks are mitigated as the challenge / response is signed (encoding originating domain/website) to prevent interception and reuse. The public key is stored in the server and the private key is stored on user hardware device. The user does not have to manually type anything, the authentication is via USB or NFC.

This technology however has also some disadvantages:

  • Not all applications and services are compatible with FIDO U2F, for example as of writing Instagram does not supports FIDO U2F, it supports 2FA based on TOTP.
  • This process requires the user to have access to a hardware device, with the global microchip stortage, it could be more difficult to have access and the cost related to hardware device could also increase based on demand.
  • Device lost could also impact users, it could be more difficult to recover an account if proper backup method is not setup correctly.
  • This technology does not protect users from physical access or vulnerabilities in hardware device. There was a case where hackers were able to exploit a vulnerability in the microchips used to create the hardware device to clone the 2FA keys.

Overall, FIDO U2F is a useful tool for improving security, it must be used in conjunction with other security measures.

Additional references

  1. Hackers can clone Google Titan 2FA keys using a side channel in NXP chips
  2. Universal_2nd_Factor