By Gregg Lantz, Oferas Technologies
Updated 2:58 PM ET, Mon May 4, 2020
Ease of use, privacy, security, and standardization.
When implementing authentication beyond a password or a one-time-password, companies have traditionally been faced with an entire stack of proprietary clients and protocols.
FIDO simplifies U2F authentication standardizing the client and protocol layers. FIDO aligns the existing ecosystem of client authentication methods such as biometrics, PINs and second-factors that can be used with a variety of online services in an interoperable manner.
When you use a FIDO enabled browser and an inexpensive FIDO key, your user login is securely bound to the originating website, meaning that only the real website can authenticate with the key. The authentication will fail on a fake site even if the user was fooled into thinking it was real. This greatly mitigates against the increasing volume and sophistication of phishing attacks and helps put an end to account takeovers.
During registration with an online service, the user's client device creates a new key pair. It stores the private key and registers the public key with the online service or website. Authentication is done by the client device proving possession of the private key to the service by signing a challenge request sent from the site and returning the signed request to the site. The client's private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user-friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second-factor device or pressing a button.
The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user's device.
The shared secret (private key) is never shared or sent over the internet at any time. No confidential information is ever shared, thanks to public key cryptography. You never need to retype one-time codes. No personal information is associated with the secret. With U2F there is no secret shared and no confidential databases stored by the provider, a hacker cannot simply steal the entire databases to get access. Instead, he has to target individual users, which is much more costly and time-consuming.
Start by purchasing a U2F Key. Google "U2F Security Keys" and find one you like. Remember, this security key is based on standards so there won't be much of a difference between the keys you find. Once your security key arrives, register it with the sites you use. Most websites offer easy to follow instructions on their site. Once your key is registered, you most likely won't need it again for a few months. Be careful and don't misplace your key. Most of our clients buy and activate two keys. One key sits on their key ring and the other gets tucked away at home.