FIDO U2F - Security Keys for customer protected web services

How does FIDO (Fast identity online) U2F work?

Simply insert your token and press the button and you are authenticated. It is really that simple!

When you register the FIDO security key, or token, to an account at a particular online service or website (called the origin), the token creates a new key pair specific to that origin and gives the origin its public key to associate with your account. The browser also sends a hash of the origin site to the token. The hash of origin is a combination of protocol, hostname, and port. It serves as a unique ID for your token to recognize, like a signature. Afterwards, when you sign in to your account as usual, the origin site can check—in addition to your username and password—whether the registered HyperFIDO token is present or not by verifying a signature created by the token.

Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices based on similar security technology found in smart cards. While initially developed by Google, the standard is now hosted by the FIDO Alliance.

Specifications

FIDO's aim is that its specifications will support a full range of authentication technologies, including biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB security tokens, embedded Secure Elements (eSE), smart cards, and near field communication (NFC). The USB security token device may be used to authenticate using a simple password (e.g. 4-digit PIN) or by pressing a button. The specifications emphasize a device-centric model. Authentication over the wire happens using public-key cryptography. The user's device registers the user to a server by registering a public key. To authenticate the user, the device signs a challenge from the server using the private key that it holds. The key on the device are unlocked by a local user gesture such as a biometric or pressing a button.

FIDO specifications provides two categories of user experiences. Which one the user experiences depends on wheter the user interacts with the Universal Second Factor (U2F) protocol or the Universal Authentication Framework (UAF) protocol. Both FIDO standards define a common interface.

So what's the difference between HyperFIDO U2F and a one-time password?

• U2F does not actually use an OTP at any stage. Instead, it makes use of the browser and a public key/Key Handle system in order to perform authentication.
• Time-based OTP do an excellent job of combating phishing attacks, which snatch credentials, because they're difficult to steal. HyperFIDO in addition can combat Man-In-The-Middle (MITM) attacks that secretly intercept communication between a user and the authentication server. For example, if a MITM attack intercepts the communication during the authentication process, the origin site's hash will be different from what's stored in the Key Handle and the HyperFIDO token will not perform any signing operation.

New NFC version launching

An NFC version of our FIDO U2F security key will be launched.  These will be able to work with mobile devices that support NFC. 

As you may know now FIDO supports DropBox, GitHub, Windows10, Google Apps and the list is growing.