Follow Slashdot stories on Twitter


Forgot your password?
Encryption Security Google Privacy Software Hardware Technology

U2F Security Keys May Be the World's Best Hope Against Account Takeovers ( 162

earlytime writes: Large scale account hacks such as the billion user Yahoo breach and targeted phishing hacks of gmail accounts during the U.S. election have made 2016 an infamous year for web security. Along comes U2F/web-security keys to address these issues at a critical time. Ars Technica reports that U2F keys "may be the world's best hope against account takeovers": "The Security Keys are based on Universal Second Factor, an open standard that's easy for end users to use and straightforward for engineers to stitch into hardware and websites. When plugged into a standard USB port, the keys provide a 'cryptographic assertion' that's just about impossible for attackers to guess or phish. Accounts can require that cryptographic key in addition to a normal user password when users log in. Google, Dropbox, GitHub, and other sites have already implemented the standard into their platforms. After more than two years of public implementation and internal study, Google security architects have declared Security Keys their preferred form of two-factor authentication. The architects based their assessment on the ease of using and deploying keys, the security it provided against phishing and other types of password attacks, and the lack of privacy trade-offs that accompany some other forms of two-factor authentication."

The researchers wrote in a recently published report: "We have shipped support for Security Keys in the Chrome browser, have deployed it within Google's internal sign-in system, and have enabled Security Keys as an available second factor in Google's Web services. In this work, we demonstrate that Security Keys lead to both an increased level of security and user satisfaction as well as cheaper support cost."
This discussion has been archived. No new comments can be posted.

U2F Security Keys May Be the World's Best Hope Against Account Takeovers

Comments Filter:
  • Great! (Score:5, Interesting)

    by ls671 ( 1122017 ) on Friday December 23, 2016 @10:08PM (#53546353) Homepage

    The only concern I have is that in some environments, the USB ports are disabled for security reasons. Also, how long do we have to wait before some exploit is embedded in those USB stick? ;-)

    • I don't even want to use USB. I want to be able to NFC with my phone, or my watch. If I have to use USB it should be to plug an NFC device into in order to enable this.

      Plugging things in is annoying, just let me do a quick touch action for couple of seconds while it does whatever crypto it needs. Make it wireless powered too so I don't have to charge it.

      • NFC security was broken before it was even common in consumer devices.

        Any time you use RF as part of your security, you are hanging your ass out in the wind.
        • While on the surface you're correct, if properly implemented, this technology should still be usable with NFC, as it doesn't rely on the security of the NFC link to be secure.

          For one, an NFC link can only be exploited through sniffing in the immediate physical vicinity of the accessing device (and statistically-speaking, few attackers are financially capable of being within 10m of their victim). For another, the real security of authentication comes from the crypto chip (think embedded smartcard or TPM-typ

    • The only concern I have is that all this is, is a hacked-up smart card. "Next year will be the year of the smart card" is a joke so worn out that's about 15 years older than the same comment about desktop Linux, and yet it looks like someone at Google still thinks that smart cards (under another name) will take off real soon now.

      So any time now we'll all be using our PS/2s to acess our Orange-Book secure OSI network using U2F tokens.

      • The fact that they're available at this price point, which puts them in the hands of pretty much anyone who owns a computer is pretty spectacular. PKI environments and their implementations were hard even for the DOD.

        While I get the sarcasm, never has so many public sites accepted second factor so quickly and publicly.

        Honestly though, I always assumed this would be handled by the government at some point, they issue passports and other identity cards, why not PKI certs?

        • It's not new. Organisations and governments have resorted to giving them away in an attempt to get people to use them, and they still didn't see any uptake. People don't even want them for nothing.

          The government has tried to do this already in the form of the CAC. Military personnel are ordered to use them or face disciplinary action. That's a pretty dire model for smart card deployment.

          So, this will fail just like every other attempt to deploy smart cards has failed (outside of things like replacing ex

          • Actually, most EU countries have identity cards, these cards are used for everything from your drivers license to international travel (Within the Union) they've all got certs on them, and they're provided by the government. Most people carry them to buy alcohol / enter clubs (Proof of age) or as a proof of ID when buying mobile phones or other high value items to reduce fraud. So in countries like Belgium and the Netherlands where I'd suggest high 90s in regards to % of people carrying them, I wouldn't cal

            • Yeah, that's a situation where we're probably arguing over semantics, does overloading an existing device with smart card functionality really count as a successful smart card deployment? The poster child for this is (e-)passports, you have to get a passport to travel, there's no choice, so it falls into the "ordered to use it" category of the CAC. Same with the example I gave, payment cards (credit/ATM cards), when you get a new card it has a chip in it, you can't opt out.

              What I'm looking for is examples

              • If you could use a government issued ID to sign into Facebook or Google, and identify yourself for email etc, would you use it?

                I just think of my parents, their getting SMS two factor codes from Google, Apple, their bank, and SMS is by no means secure.

                If I could also use that to auth SSH etc, then yes, absolutely I'd use it, I'd suggest that MS would even get on board for smart card auth for Windows (Making certain default choices to allow for sign in using that tech).

  • Lol, oh really? (Score:5, Insightful)

    by JustAnotherOldGuy ( 4145623 ) on Friday December 23, 2016 @10:12PM (#53546365)

    "the keys provide a 'cryptographic assertion' that's just about impossible for attackers to guess or phish."

    Do you know how many times we've heard this kind of claim in the past?

    I'd love for it to be true this time but I'm not going to hold my breath.

    • by dbIII ( 701233 )

      Do you know how many times we've heard this kind of claim in the past?

      Indeed, but a lot of the time the claim has been correct until someone took an especially stupid shortcut for the sake of convenience. DVD encryption was one example (

    • "Emulation" is the word of the day. Anything can be faked. "Impossible" is great snake oil, and "just about" (pert near) covers all the liability issues.

      • "Emulation" is the word of the day. Anything can be faked.

        That's it in a nutshell.


        "Impossible" is great snake oil

        Yep, and when they say it's "almost impossible", that means it's still possible.

    • "Just about impossible". So: possible.
    • The claim is true. The big problem right now is that what's needed to gain access to accounts or complete financial transactions is a piece of information. And as we all know, information wants to be free - it can easily be duplicated, and (with modern technology) transmitted anywhere around the world almost instantly.

      These keys tie the generation of that information to a physical object which cannot be duplicated and cannot be transported around the world any faster than other physical objects. And b
      • These keys tie the generation of that information to a physical object which cannot be duplicated

        We've heard that before as well, and it seems that sooner or later some clever bastard always manages to spoof it or clone it or whatever.

        Like I said, I've love it if the claim that it's "impossible for attackers to guess or phish" were true, but would you bet your home, job, or bank account that this will still be true in a year?

        The basic problem is that if you rely on signals that come over a wire, you can never really know who or what is on the other end.

  • I use the native 2FA feature for Gmail that leverages an app on any smartphone and it works great. No USB port required. []
    • by ceoyoyo ( 59147 )

      True, and it's a lot more convenient than a USB device. On the other hand, it's a lot more convenient than a USB device. You can phish TOTP authenticators by convincing someone to send you the QR code.

      I use TOTP authenticators. If I had something really important to protect I might make all the users get the USB sticks.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Because it does not require me to have a "smartphone". That's how it is better.

    • by geekmux ( 1040042 ) on Saturday December 24, 2016 @02:53AM (#53547097)

      I use the native 2FA feature for Gmail that leverages an app on any smartphone and it works great. No USB port required. []

      You question how dedicated security hardware is "better" than one of the most hacked platforms on the planet?

      Give me a fucking break. This is the #1 reason I do not want my corporate users using hackedphones as the other half of 2FA.

      • by Anonymous Coward

        This is why I laugh (so I don't cry) at my company's rush to replace the convenient RSA keychain dongles with the smartphone-based RSA app.

        I know it probably saves RSA Inc. a ton of cash, convincing everyone to use an app rather than those key devices... we subsidize their platform with our own personally-purchased devices.

        I liked having a dedicated RSA key for VPN access. I knew it was simple and reliable; it fit in my pocket, couldn't be hosed by installing the latest Angry Birds App or sitting on the dev

  • We have good 2FA now and hardly anybody uses it.

    Google Authenticator is free, SMS 2FA isn't wire-secure, but it prevents almost all account takeovers, and "nobody" uses them because they're not mandatory.

    But now we'll have a hardware dongle that will either fit in a computer or a phone, but not both (probably) and nobody will use those too? We got stronger crypto but we didn't need stronger crypto; what problem is this solving?

    • ... SMS 2FA isn't wire-secure, but it prevents almost all account takeovers, and "nobody" uses them because they're not mandatory ...

      At one time, I had used my cell for SMS 2FA. Within a couple of days of giving my cell number out for 2FA, I started to get spam text messages and calls.

      I've since switch my cell number and no longer use SMS 2FA.

      The problem with using SMS 2FA is that too many advertisers and other trackers want your cell number for tracking and spamming purposes, and there is no way to assure the cell number will not spread beyond the intended 2FA purpose.

      • by Anonymous Coward

        That is why I won't use Yahoo anymore because they insist on storing a mobile phone number with your account.

    • by tepples ( 727027 )

      SMS 2FA on Twitter doesn't work with a landline and is expensive with pay-as-you-go mobile, and Twitter refuses to support TOTP or U2F.

    • by tlhIngan ( 30335 )

      Google Authenticator is free, SMS 2FA isn't wire-secure, but it prevents almost all account takeovers, and "nobody" uses them because they're not mandatory.

      SMS is insecure. There's a good reason NIST doesn't recommend it - you assume the number is associated with a phone, when that is not necessarily the case. It's also REALLY easy to MITM. In fact, in most mobile operating systems, when you see it on the screen, it's already passed through many layers of software and third party apps that could easily have

  • does it run on Linux??

  • Water is wet and rocks are hard.

    If you still don't realize that secure 2FA is better than a password alone, I don't think a published article about the topic is going to change your mind. Unfortunately.

    Of course portable hardware based 2FA is more secure than nearly any alternative.

    • Re: (Score:3, Informative)

      by sexconker ( 1179573 )

      A "second factor" presented as bits along the same wire as the bits of your password is not a second factor. They're both something you know. The only difference is you can lose the dongle and be fucked. You're still vulnerable to being phished or MITM'd or logging in via a pwned box or whatever else. The only thing time-based 2-factor approaches protect against is your own stupidity (reusing passwords or using bad passwords) and getting phished by a passive attacker who won't be using your credentials

      • Re:In other news... (Score:5, Informative)

        by Anonymous Coward on Saturday December 24, 2016 @12:00AM (#53546675)

        You're still vulnerable to being phished or MITM'd or logging in via a pwned box

        You can't be phished because the phishing site won't have the private key of the original website to validate to the key-dongle you are making a request to it from the original website that was stored when setting up the authentication originally.

        You can't be MITM'd as as vulnerability any different than SSL traffic. The keys won't match to decrypt the traffic, which were exchanged originally when setting up the authentication.
        Of course the encrypted data stream can be logged from a MITM position, just like SSL traffic now, but the idea is the attacker doesn't have either key to decrypt it to plain text and shouldn't have a quantum computer to brute force it in any reasonable time.

        Logging in via a pwned box would only be able to intercept that session.
        So yes, that can be quite damaging in some cases, but doesn't grant the attacker continued access. Remember, you need to push a button on the hardware dongle to reply to an authentication request and this request is only valid for the one session.

        For situations like say banking, yes one session is enough to have your account drained.
        But I fail to see how this is any WORSE off than not using the hardware key, while it is clearly still BETTER than not using a hardware key because it solves 2 of the 3 situations you describe.

        You are falling for the typical error in assuming a replacement security function must somehow be 100% effective else it is worthless.
        In reality, it only needs to be more effective than what you were previously doing to have some value, and you are ignoring that fact.

        If it was only 1% better then you may be valid in claiming the time investment of switching may not be worth it.
        But with the examples you listed it is clearly more than 66% better (2 of your 3 conditions are solved problems, and of the 3rd condition it is at least slightly mitigated even if not fully or even mostly)

        • Re:In other news... (Score:4, Informative)

          by Ed Tice ( 3732157 ) on Saturday December 24, 2016 @03:17AM (#53547143)
          Logging in from a pwned box will get your one account stolen. But it's not a profitable criminal enterprise since it's a retail theft. This prevents wholesale crimes. Somebody can also rob you and steal your U2F dongle and threaten your family with violence if you don't turn over your dongle and password. It prevents mass attacks.
  • The problem is that this isn't "true" two factor authentication. This is just an (extra) client-side key embedded in a USB stick, you can do the same (much more universally) with SSL keys which is better than a password but in no way is it either foolproof nor 2 factor authentication, both of the items are passwords, you're just saving a really complicated password in a keychain.

    A good TFA requires something two out of something you have, something you know and something you are. Something you have should b

    • by Anonymous Coward

      A challenge against a private key on an external hardware device doesn't count as a second factor to you? (Something you have)
      First factor being something you know (a password).

      Are you thinking it just spits out the same answer everytime?

      This is better than the typical deployment of ssl keys since you can copy those off disk.

      It's more like using a smart card but this is also better in that it's a different keypair per site without needing a central authority that could track you by noting where it processes

      • by tepples ( 727027 )

        What sort of man in the middle attacks do you envision the machine you're using will be able to perform between the dongle?

        During the initial key exchange, when the U2F device sends its public key to the server, a man in the middle could substitute the public key generated by his own U2F device.

        • It is important to note that could happen, if the MITM defeats the SSL/TLS session, only while the user initially REGISTERS for the service. The public key is not sent each time the user logs in.

          • by tepples ( 727027 )

            Please allow me to clarify:

            When the user registers while connected through MITM, the MITM impersonates the server to the user and the user to the server, providing the MITM's public key to the server instead of the user's. Then each time the user logs in while connected through the same MITM, the MITM contines to use its own keypair instead of the user's to respond to the server's challenge.

            If that doesn't make sense, then could you summarize what information is sent?

            • That sounds good to me. What that means, of course, is that the attack wouldn't work for a site you already have an account with (barring combining it with probably two other attacks, plus the MITM, for a total of four simultaneous successful attacks).

              • by tepples ( 727027 )

                Someone behind an authoritarian nation-state's MITM would probably have created the account while in the same country.

    • "something you are" if you can remove it with a knife, it isn't something you are. Also, once your biometric fingerprint (of any sort) is compromised, it's difficult to get the CA to issue you a new one.

  • Apple is pushing two-factor authentication right now, with an implementation that sends a numeric code to any of its devices that are registered to you other than the one on which you are authenticating. If you have two iPhones, an iPad and an Apple computer and change your Apple ID main password, two-factor auth takes you through several rounds of authenticating the change on each possible permuted pair of all of your devices. You will spend most of a day just entering two-factor authentication codes on on

  • "Hi, I'm from your company's tech support team. I'm here to test your 2FA key to see if it needs to be replaced by this fake-o virus carrying USB key I'm carrying, mind if I check things out? I'll be needing that key...."
    • "Hi, I'm from your company's tech support team (...) I'll be needing that key...."

      I have the feeling that these are just like stronger locks. You basically push the burglar towards your neighbors.

  • hope it works
  • We'll see how this one turns out once it's had some proper review.

    Just developing something in public and doing RFCs won't attract as much efforts as possibly knocking down something published, a feather in the cap for defeating Google's propeller beanies. Whereas the first is just, "was a helper", which matters for just about zilch in any CV.

  • We run general purpose computers. Can't we trust our own operating systems enough to think they might store a couple bits of secretish data? If not, what good is any encryption since the attackers get every session key anyway? (not to mention the keylogger with the raw password and the memory debugger that sees every block encrypted and decrypted)

    The only thing a dongle provides is certainty that another computer can't impersonate a fully compromised device without the dongle. Of course, dongle-failure

    • The registering by phone *is* a form of two-factor authentication. You've just made the case for it. This is an improved form of two-factor authentication because it's too easy for phone numbers to get assigned to new devices. The SMS second-factor tends to work great against mass attacks and also protects low-value targets but is pretty much useless against a targeted attack. Too easy to walk into any mobile phone retailer and claim you lost your SIM card.
  • After more than two years of public implementation and internal study, Google security architects have declared Security Keys their preferred form of two-factor authentication.

    OK Google, then offer to ship these dongles out to your users at no cost. I'm not going to buy yet another little thing that's going to break, or get lost, or get stolen; I'll use it if it's free, though. I like PayPal's approach, they mailed out free SecurID dongles to anyone with a business account who asked for one. Mine still works fine on the original battery 10 years later.

    • You are aware that RSA sold all of the SecureID keys to the NSA so that token is useless, right? Also you have to have one SecureID per entity with whom you do business. The problem this is trying to solve is that you don't end up with so many tokens that you exceed carryon limits and have to decide which ones to bring with you on a trip. Also the SecureID tokens are insanely priced. Agreed they should be free since reselling the keys is where RSA makes the real money. But current costs have been descr
  • by SuperKendall ( 25149 ) on Saturday December 24, 2016 @12:45AM (#53546795)

    When plugged into a standard USB port

    Aaaand I stopped reading as I can say with confidence 99% of people will never use it.

    Just one of many problems - where do I put this on my iPad exactly? Or any mobile phone of any kind?

  • I don't keep my keys in my pocket, so I always have to go get my keys out of my bag when I want to log into my gmail, etc. I don't want the thing hanging around my neck, and not sure I want it on my wrist. How do you keep the darned thing handy at all times? I think I need a NFC yubikey type thing implanted in my hand.

  • Well I've got to hand it to them at least this isn't just another tired old token passing scheme running over TLS. There appears to be something "ChannelID"? I don't really understand the specifics that seems to bind something from USB card with the underlying TLS session.

    Still I have three comments.

    1. If your going to do this why not deploy client certs and have your card store private keys for each site and just push all responsibility for interface (special standard for pkcs12 download, user attention..

    • The problem with client certificates is that you have to install them on a device before using the device. So you can only login from a device you completely trust. This is just another form of something you know. It's not a second factor. With U2F you can, in a pinch, login from say a computer in the library and not worry that your certificate just got compromised.
      • The problem with client certificates is that you have to install them on a device before using the device.

        The browser can grab them from anywhere it can anytime it wants. It can also pass-thru cert validation to physical trinkets that look like USB sticks or credit cards the same as smart cards have been doing for ages.

        So you can only login from a device you completely trust. This is just another form of something you know.

        It's not a second factor.

        No it is clearly something you have. Using trusted system is an implied baseline requirement. It isn't ever optional. This business of logging on from devices you don't trust = GIGO.

        With U2F you can, in a pinch, login from say a computer in the library and

        This limitation does not exist with my suggestion to just use client certs. There is no reason to assume brows

        • Congratulations, you've just described U2F!
          • Congratulations, you've just described U2F!

            What I described is a smart card .. something that has been widely used for over a decade.

            The difference in not reinventing the wheel with U2F is you don't need to modify servers to support experimental channel binding extensions. This can be deployed without modifying existing servers.

            "Google is very much a not-invented-here, build it ourselves culture."
            -Eric Schmidt

  • by SumDog ( 466607 )

    So what happens when you lose one of these things? Do you have to wait a week for a new one to arrive in the mail to access any of your accounts?

  • Yubikeys (Score:5, Informative)

    by darkain ( 749283 ) on Saturday December 24, 2016 @03:19AM (#53547147) Homepage [] - Yubico, the makers of Yubikeys, is the primary company and primary devices that Google, Facebook, Github, Dropbox, and others use. Reading the various comments here on Slashdot, I just want to quickly clear a few things up. Some think this is just a theoretical API. No, it is fully implemented, and the hardware has been on the market. I've been using my Yubikey for over a year now. The thing is fucking amazing. The key supports several different modes, so let's go through a few of them really quick to clear up concerns from above.

    The type of authentication mentioned in TFA works by plugging in the USB key. After that, the browser makes a request to the key. The key then has an LED that starts blinking to indicate said request. The key does *NOT* process the request until the button on the key is pressed. The encryption key stored on the physical key also can NOT be read off of it at all, the device handles processing of the initial request. (yes, admittedly, this is slower than a normal CPU, it takes 1-2 seconds to process)

    There are other modes, too. There is a mode which works exactly like Google Authenticator, where you can register 2-factor codes with it. The generated time based codes can then be read back either by USB or by NFC on a phone/tablet. This has the added advantage of the fact the seed for the time code is not retrievable from the device. The only thing the device will transmit out is the calculated time-based code. This has an advantage over Google Authenticator, where a compromised phone could easily leak the seed values and generate new time based codes. This calculation instead happens on the key, and only the final result is returned instead.

    This device also works with PuTTY for SSH authentication. This is by *FAR* my most favorite feature. TortouseGit on windows also uses PuTTY for authentication, so this includes source code. You can pull out the public key from the device, and use the device to authenticate yourself anywhere that supprts SSH. I personally use this to authenticate into a cluster of servers that I manage.

    This device includes a static password, too. Not everything supports these newer modes. There are a couple services that I use which dont. A randomized password up to 32 characters can be stored on the device, and with a single press of the button will emulate a keyboard and type it in. This is much MUCH easier than trying to type in long complex passwords which use tons of extended characters. But again, this caps at only 2 passwords (the device has 2 "slots" total, and other things such as the method mentioned in the article takes up 1 of those slots as well)

    But pretty much every concern I've seen in the comments on this page are all directly addressedon the Yubico web site. These guys have thought of pretty much thought of every possible scenario imaginable. This isn't just some weekend project. This is a serious security product help designed and implemented by some of the largest tech firms in the world who have a serious stake at securing their own networks. The price for the keys are really not bad, so yeah, I'd personally recommend them.

    • by CRC'99 ( 96526 )

      As per the GP, I've also used a Yubikey for years. Mine is the original one that doesn't support 2UF, but I've been using it for many things - including some of my own applications in OTP mode.

      OpenVPN - Username + OTP.
      SSH - Private Key + OTP from unknown sources (else just key).
      Admin account on my hosting platform: email + password + OTP (written in perl).
      Lastpass - Username + Password + OTP.

      In the many years since I've had this key (remember, this is one of the first they made), I've had their validation s

    • SecureCRT also supports PKI based SSH authentication, it's without fail the best terminal emulator around. (Win / Mac / Linux)

      I really do feel odd posting this to Slashdot (I feel like I'm going to get crucified for a slashvertisement), but I've used their stuff for years and they're worth a mention.

    • Don't forget to log in with your account for 20% off!

      I just ordered 2, these sound useful.

  • That would be John Connor.

    John Connor is leader of the Worldwide Resistance and last hope of humankind.

  • Isn't this what the yubikey is supposed to do? I mean it isn't exactly open but it does provide a nice easy 2FA.

!07/11 PDP a ni deppart m'I !pleH