By Maxim Sovetkin, Itransition

Millions of email and social networking logins and passwords become public almost every month. You don’t have to be an IT guru to realize that a password, no matter how complicated, is no longer an adequate security tool.

The way users choose services is changing, adding more strains on security protocols. Before, users chose the most convenient option. Today, they go for the most secure one.

To heighten security, multifactor authentication (MFA) and its simplified version, two-factor authentication (2FA), became an IT staple. The first line of defense is your login and password, which the user knows and remembers. The second is something that only this particular user has access to: an SMS or email message, one-time password (OTP / TOTP / HOTP) applications, cryptographic tokens, biometric data, etc. The cheapest and most convenient methods are applications and SMS messages. All you do is enter the username and password through the website, receive the secret code in an SMS on your phone, enter the code and enjoy access to the data.

The World of 2FA Today

A lot of time passed since the advent of 2FA, and the majority of Internet services use it today. 2FA has conquered the financial tech sector: it’s practically impossible to imagine online payments without confirmation and authorization via SMS message, for instance.

However, oddly enough, despite the widespread dissemination of 2FA, users still get their accounts hijacked and compromised. This article will discuss some of the shortcomings and vulnerabilities of 2FA methods.

2FA Vulnerabilities

Phishing.Practically all 2FA solutions are vulnerable to man in the middle (MITM) attacks, and therefore to phishing.

Security. Let’s look at SMS verification, the most popular 2FA solution on the modern market. You can read a million stories online about SIM cards being reissued in Russia, USA, South Africa, the UK and other countries. In addition, hackers have their hands on tech that is no longer exclusively available to special services. Hackers also love to rely on good old social engineering tricks. As can be seen, security issues are plentiful and not easy to fix.

Costs. Cryptographic tokens, proven to be reliable in terms of security, are rather expensive. As a rule, the end user pays that high price. Only rare service companies cover the costs and delivery of such solutions to the user. Moreover, even sending SMS messages costs money. Because of all these costs, not everyone can afford the implementation and maintenance of 2FA methods.

Compatibility. Not all operating systems incorporate drivers for cryptographic tokens, and not all users have the desire to find and install them.

Ease of use. Some users are too complacent to enter one-time passwords. Unlocking your phone screen, opening the message or OTP program, reading the secret code, entering it, making a mistake, repeating the process all over again – this is the standard interaction between the user and two-factor authentication.

To conclude, today's 2FA solutions do not offer reliable user protection, are often cumbersome to use, are too expensive and generally are not suitable for universal implementation.

FIDO U2F

In 2007, PayPal tried to introduce 2FA with the help of OTP via SMS. Despite the fact that, at the time, this method was progressive and quite safe, the implementation pace was disastrously low. Most users simply ignored the option to increase their data security.

Exploring the possibilities for biometric technology implementation, PayPal, together with Validity Sensors, first voiced the idea that it was time to create an industry standard to support all hardware authentication methods. The FIDO (Fast IDentity Online) Alliance was launched in 2013 with the goal of creating such a standard. Many large companies such as Google, ARM, Bank of America, Master Card, Visa, Microsoft, Samsung, LG, Dell and RSA became members.

At the moment, FIDO pursues the goal of creating easy-to-use, secure, private and standardized solutions.

Besides other achievements, the main result of FIDO’s work to standardize 2FA so far is the Universal Second Factor (U2F) protocol.

What is U2F?

U2F is an open, driverless protocol originally developed by Google and Yubico to be used for two-factor authentication with special USB, NFC and Bluetooth LE devices as well as with SIM-cards (specifications are still in development) that store keys and independently perform cryptographic operations.

Currently U2F support is implemented in Chrome and Edge browsers, as well as OS Windows 10.

The protocol is based on a challenge-response authentication using digital signatures.

User experience

From the user’s point of view, working with the protocol is rather mundane. The user enters a username and password and uses a USB (Bluetooth/NFC) U2F device (pushes a button on it, enters a PIN, passes the biometric verification or does nothing), and authentication is a success.

U2F for USB

U2F for Mobile

Images provided by Yubico

U2F Protocol Deep Dive

Interaction of the U2F client such as a web browser or Windows 10 is demonstrated below:

U2F Interaction protocol