Snippet: Google announced today that it is enabling support for the FIDO Alliance’s Universal Second Factor (U2F) protocol on all Google user accounts. This makes it the first major company to do so. Entersekt thinks this a fantastic development and one we are very proud to be a part of.

Google announced today that it is enabling support for the FIDO Alliance’s Universal Second Factor (U2F) protocol on all Google user accounts. This makes it the first major company to do so.

Entersekt thinks this a fantastic development and one we are very proud to be a part of.

The technical skinny

The FIDO Alliance (FIDO stands for Fast IDentity Online) aims to standardize the way multi-factor authentication is handled across different web properties and to limit our reliance on passwords. There are two sets of specifications published by FIDO: UAF (Universal Authentication Factor) and U2F. Where UAF is a slightly more complex authentication protocol that deals with a greater number of use cases, U2F aims to provide a simple interface for proving that something physical is present during the authentication process.

A web site that wants to make use of U2F must deploy a U2F server. All communication between this U2F server and the customer’s browser is handled through JavaScript injected in the target web site. A browser that understands these JavaScript commands is also required (right now, only Chrome supports this – from version 38), and once these commands are received, they are passed down to the user’s USB stack where a U2F-ready token will receive it and act on it.

U2F-ready tokens are very simple and there are really only two notable commands that can be sent to them: Register and Sign. During registration, a public/private key pair is minted on the U2F-ready token and the public portion of the key is sent down to the web property that runs the U2F server. The U2F server stores this public key against the user’s account. The next time the user tries to access the relevant online service, a Sign command is issued to the token. It must respond correctly to prove that it is the same token (and private key) originally registered.

OK, so what’s in it for you?

With so many alternatives out there already – most notably, Google Authenticator, which is already used for two-factor authentication across Google’s services – why this new solution, the Google Security Key

Well, as we at Entersekt have been saying for the past five years, the one-time password (OTP) is pretty much obsolete, nothing more than a Band-Aid. Fraudsters are easily circumventing OTP-based authentication systems by intercepting text messages delivered to your mobile phone; by phishing your OTP with fake web sites; or by compromising the seed value database on the web property’s side, gaining the ability to generate the same OTPs as your hardware or software token does. In any case, it’s pretty archaic to expect a user to type a series of digits from one device to another – especially on a mobile phone or tablet!

U2F aims to solve these problems by providing a cryptographic means of authenticating the presence of something physical (your U2F token) without your identity ever leaving your token. This is very similar to the Common Access Card you may have seen that guy from the U.S. Department of Defense inserting into his laptop on your last flight to DC.

Entersekt makes U2F a mobile experience

There’s currently only one transport protocol supported by FIDO U2F: USB. This means that, if you want to upgrade your authentication experience from OTP to U2F, you have to buy a USB U2F token and carry it around with you wherever you go.

Entersekt has devised a solution to this problem. Our mobile-phone–based authentication product, Transakt, already uses cryptographic keys to verify users of online systems, so we developed a lightweight USB U2F bridge that you can install on your computer, allowing your browser to connect with the U2F-enabled Transakt app on your mobile phone for secure, convenient authentication. No retyping OTPs. No buying and carrying around a physical token. Simply install the Transakt U2F driver on your machine and download the Transakt U2F app to your mobile phone. It’s that easy.

U2F authentication requests are automatically routed across a secured Internet channel to your mobile device for approval. No physical connection between your computer and mobile phone is required. Simply tap to “Accept” on your phone to complete the cryptographic sign-in process.

Give it a go!

Transakt U2F is in beta, but Entersekt is accepting a limited number of sign-ups to this service. If you’re interested in giving Transakt U2F a try with your Google account, please click here

Subscribe to our blog.


Christiaan Brand

FORMER CTO

Tags

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.