Universal 2nd Factor (U2F): The Importance of Security Keys

by Jake Wengroff

Universal 2nd Factor (U2F) is a physical authentication device that uses encryption and private keys to protect and unlock supported accounts. A U2F device is often a USB, near-field communication (NFC) gadget, key fob or Bluetooth device and would serve as the second step in an organization’s two-factor authentication (2FA) policies.

2FA is now considered a basic way to authenticate users, relying on internal and external factors. The internal factor is a basic password or PIN, something that a user has memorized and that they enter on their device, app or service account.

The second factor is external and can be an SMS message or phone call with a temporary passcode or a code produced by a third-party authenticator application. However, while 2FA is more secure than simply relying on a single password to enter a system, depending on a second device, such as a smartphone, for authentication still creates risk because account verification processes and even enterprise security policies differ.

To address this gap, U2F has emerged and is now a universal standard created by Google and Yubico for streamlining 2FA with any service or account.

The Importance of Security Keys

A security key is a hardware-based authentication solution that provides a line of defense against phishing, eliminating account takeovers while enabling compliance requirements for strong authentication. Security keys establish user presence and prevent remote takeovers.

These solutions have grown in popularity because of their simplicity: no battery or network connectivity is required. Like a swipe card to gain entry into a building, users simply insert the key into a device and tap to authenticate.

How U2F Works

In a U2F setup, U2F devices are connected to a computer via a USB port or smartphone and can be turned on with certain applications or websites. After the user enters their password to an account, the device communicates to the host computer via the HID protocol or the standard that simplifies the transmission of external devices to the computer.

Upon initial communication, a challenge-response authentication mechanism (CRAM) sends the private key on the U2F device to the public key on the computer to unlock it. If the U2F key is not present, access will be denied.

Additionally, the U2F device is secure, as any information stored on the key is encrypted, reducing the risk of keylogger, phishing, man-in-the-middle (MITM), malware and session hijacking attacks.

The U2F standard is supported by the FIDO Alliance, which rigorously tests and certifies services according to their standards. Chrome, Firefox and Opera have already supported U2F within their browsers along with major applications such as Facebook, GitHub and Dropbox. Financial services organizations, including PayPal, Mastercard, American Express, Visa and Bank of America, have also begun offering U2F security solutions.

History of Security Keys

The history of security keys is very much tied to the history of several hardware startups focused on developing authenticator devices. One is Yubico, a Swedish company founded in 2007. Within one year, it launched YubiKey 1.0, the world’s first one-touch, one-time password authenticator.

In 2011, Yubico began discussions with Google’s internal security team, who also had identified the benefit of public key cryptography for protecting against advanced phishing attacks.

Yubico and Google signed a partnership contract to co-create U2F in 2012, and they contributed the U2F technical specifications to the FIDO Alliance, joining as board members the following year.

Advantages of Universal 2nd Factor

Companies can find several benefits by implementing U2F, including:

  • Stronger Security: U2F devices use encryption and send information directly to a website or service, reducing the risk of attacks, such as phishing and man-in-the-middle.
  • Simplicity: U2F is already incorporated into well-known consumer and business platforms and browsers, making installation easy.
  • Consumer Choice: Since U2F is a standard of authentication, it can be found in a range of device types and communication methods, allowing the user to choose the best fit.
  • Low-Cost Solution: Keys and drivers with U2F technology are relatively inexpensive, with Yubico offering free, open-source server software for back-end integration.
  • More Identity Control: Users, as well as enterprises, can better control online identity and customize those identities to their needs or privacy level.

Disadvantages of Universal 2nd Factor

On the other hand, U2F is not without its downsides especially since it is lesser known than other modalities.

  • Less Support: U2F is a relatively new technology, so it isn’t as widely supported or well known as other choices, such as one-time passcodes to a smartphone.
  • Inconvenient, Differing Ports: The other major drawback is inconvenience due to differing USB ports on various devices. For example, a U2F key with a USB-A connector will only work on an Android device, iPhone or newer MacBook with an adapter.
  • Expensive: Some higher-end U2F keys have built-in NFC, so they can be used with mobile devices. However, they are often more expensive. Basic U2F keys can be reasonably priced, but NFC ones will cost much more, notes MakeUseOf.com.
  • Potential to Be Lost or Stolen: While a smartphone cannot be unlocked if someone finds (or steals) a U2F key, there are costs related to downtime and replacement.

What is Multi-Factor Authentication?

Multi-factor authentication (MFA) is similar to 2FA, and the two are often used interchangeably (and erroneously).

While “two” can be considered “multi,” MFA implies more than 2 forms of identification — in fact, it can incorporate both of the security features included in a typical 2FA setup and up to four forms of verification, including a U2F security key. MFA is considered the strongest security for an account.

Your Enterprise Security Solution

The Migus Group can help you implement or improve your enterprise’s identity and access management policies and strengthen your organization’s security posture. Contact us today to learn more.


Jake Wengroff writes about technology and financial services. A former technology reporter for CBS Radio, he covers such topics as security, mobility, e-commerce and the Internet of Things.