FIDO U2F Specifications: Overview & Tutorial

FIDO UNIVERSAL SECOND FACTOR
(U2F) SPECIFICATIONS OVERVIEW

3
Simple, Secure, Scalable 2FA

FIDO U2F Core Benefits
• Simple, one touch 2FA
• One device works across
an unlimited number of
sites
• Secures against phishing
and man-in-the-middle
attacks
• No secrets shared between
sites, protects user
privacy
Notable Services/Apps
4

Easy Two-Step Process
• Cross-platform support
• Across multiple device types
• Contactless and tokenless options
5

Why not just the phone?
• Security
• Accessibility
• Speed
• Reliability
• Durability
• Backup
• Privacy
6

Stats from Google Deployment
• Mandatory for all Google staff and contractors
• Support for Google end-users
All Rights Reserved. FIDO Alliance. Copyright 2016. 7
U2F vs Google Authenticator
• 4x faster to login
• Significant fraud reduction
• Support reduced by 40%

8
Server sends challenge1
Server receives and verifies device signature
using attestation cert5
Key handle and public key are stored in database6
Device generates key pair2
Device creates key handle3
Device signs challenge + client info4
Registration
Server sends challenge + key handle1
Server receives and verifies using stored public key4
Device unwraps/derives private key
from key handle2
Device signs challenge + client info3
Authentication
IndividualwithU2FDevice
RelyingParty

Relying Party
User Side
U2F Code
USB (HID) API
U2F JS API
Secure U2F
Element
Transport
USB (HID)
Web Application
U2F Library
Public Keys +
KeyHandles +
Certificates
User Action
FIDO Client
Browser
U2F Authenticator
U2F Entities

10
Protocol Design
Step-By-Step

U2F
Device Client
Relying
Party
challenge
challenge
Sign
with kpriv
signature(challenge)
s
Check
signature (s)
using kpub
s
Lookup
kpub
Authentication

U2F
Device Client
Relying
Party
challenge
challenge, origin, channel id
Sign
with kpriv
signature(c)
c, s
Check s
using kpub
Verify origin &
channel id
s
Lookup
kpub
Phishing/MitM Protection

U2F
Device Client
Relying
Party
handle, app id, challenge
h, a; challenge, origin, channel id, etc.
c
a
Check
app id
Lookup
the kpriv
associated
with h
Sign
with kpriv
signature(a,c)
c, s
Check s
using kpub
Verify origin &
channel id
s
h
Lookup the
kpub
associated
with h
Application-Specific Keys

U2F
Device Client
Relying
Party
handle, app id, challenge
h, a; challenge, origin, channel id, etc.
c
a
Check
app id
Lookup
the kpriv
associated
with h
Sign
with kpriv
counter++
counter, signature(a,c, counter)
counter, c, s Check s
using kpub
Verify origin,
channel id &
counter
s
h
Lookup the
kpub
associated
with h
Device Cloning

U2F
Device Client
Relying
Party
app id, challenge
a; challenge, origin, channel id, etc.
c
a
Check
app id
Generate:
kpub
kpriv
handle h kpub, h, attestation cert, signature(a,c,kpub,h)
c, kpub, h, attestation cert, s
Associate
kpub with
handle h
for user
s
Registration + Device Attestation

Adding U2F Support
Original DB
Original
Database
user_id Password#
JohnDoe
4^hfd;`gpo
U2F Database
U2F DB
Relation
Relying Party
user_id Meta U2F Data
JohnDoe
Yubico, Security
Key, USB
key handle, public
key, certificate
JohnDoe
Yubico, YubiKey
NEO, USB + NFC
key handle, public
key, certificate

Mobile FIDO U2F/FIDO 2.0
• NFC (today)
Tap U2F device on NFC phone
• Bluetooth (Q4, 2016)
Touch button on Bluetooth
U2F device
• Mobile client (in development)
SDK for app developers
(passwordless, tokenless, using
device biometrics to unlock)
• Future: FIDO 2 Device-to-device
17

U2F Ecosystem Beyond Chrome
● Mozilla Firefox (in development)
● Microsoft Edge (in development)
○ seamless upgrade path to FIDO 2.0
● Native client
○ Dashlane password manager client
○ Windows credential provider with U2F
○ Opensource host libraries available
18

FIDO U2F Specifications: Overview & Tutorial

More Related Content

What's hot

Viewers also liked

Similar to FIDO U2F Specifications: Overview & Tutorial

More from FIDO Alliance

Recently uploaded

FIDO U2F Specifications: Overview & Tutorial