SECURITY KEY U2F

It is possible to secure a Facebook or Google account with a U2F security USB key, a standard supported by the FIDO alliance. Didn’t you understand? Don’t panic: we’ll explain everything to you.

We’ll say it again and again: the security of your accounts is paramount and often, it’s enough to adopt small habits to considerably strengthen access to your personal spaces. Whether it’s social networks, sites that host your files or projects or online banking, you don’t want the passwords that protect this personal data to look anything like abcdef.

The first and simplest step is to strengthen your password. The second is to activate dual authentication as soon as you can. With this on most of your accounts, you will avoid most of the trouble. But there is another way to add security to an account that goes through a security USB key and the U2F protocol. Explanations.

WHAT IS A SECURITY USB KEY?

It’s an object that comes in the form of a traditional USB flash drive, except that instead of storing files, it contains a secure chip that holds a unique encrypted key that belongs to you. Metaphorically, you could say that it is a digital equivalent to the key in a safe, which is based on the concept of public/private key.

It is based on an open standard called U2F for Universal Second Factor which was developed by Google, Yubico and NXP (the company behind the NFC chips) and is now maintained by the FIDO alliance of several companies and organizations.

These USB keys are sold from around ten euros and are available worldwide. You only need one key, which will work with all accounts.

HOW CAN A USB KEY PROTECT AN ACCOUNT?

Once you have your security USB key, you can associate it to an account, if the company offers the option. After that, once you have entered your password, simply plug your USB key into your computer and it will transmit your encrypted key to the site that authenticates you. In practice, the process is therefore similar to the 2-step verification.

Note that contrary to appearances, this is not biometric authentication by fingerprint recognition.

WHY ARE SOME KEYS MORE EXPENSIVE THAN OTHERS?

The quality of manufacture, the functionalities (NFC for example) and the place of construction make the price vary, not the security of the chip. If it is FIDO U2F certified, it’s good. A key like the Yubikey NEO, built in Sweden or the United States, costs for example 44 €.

HOW IS IT MORE SECURE THAN THE 2-STEP VERIFICATION?

This method of securing accounts takes into consideration something fundamental: social engineering. 6 numbers that appear on the screen of your smartphone and that you have to enter to confirm your identity, that’s fine, but imagine that the person trying to hack you has access to a surveillance camera behind you and can read these numbers. Too far-fetched? Then imagine that a particularly clever phishing site manages to get you to enter these numbers, with hackers on the lookout to intercept them. Far from impossible.

Generally speaking, the best password is the one you don’t know. Even under torture, you will be unable to give out the identification key contained in the chip in your USB key.

THE BEST PASSWORD IS THE ONE YOU DON’T KNOW

WHICH SERVICES ARE COMPATIBLE?

There are not only obscure nerds services that are compatible with USB key verification. The method has even been deploying rather quickly in recent months. You can always find the configuration settings of your USB stick in the security tab of the service in question. The complete list can be found here. Here are a few consumer services that are compatible:

  • Facebook
  • Gmail (and all Google services)
  • Dropbox
  • GitHub
  • BitBucket
  • FastMail
  • DashLane
  • WordPress (CMS)

WHAT ARE THE COMPATIBLE BROWSERS?

If you choose to use this feature, you will need a compatible browser. For now, there are only three: Opera, Google Chrome (from version 40) and Mozilla, which has integrated the free authentication standard Universal Second Factor (U2F) in Firefox 57 and enabled it by default with Firefox 60.

WHAT IF I WANT TO CONNECT WITH A SMARTPHONE

That’s a good question. That’s the main problem today with these keys: even if they were originally designed by NXP, they still don’t fully work by NFC. Facebook, for example, doesn’t allow its mobile application to connect via a security USB key. However, Facebook’s mobile site is compatible if you have an Android smartphone and a security USB key that supports NFC (YubiKey NEO or Fidesmo NFC Card, for example).

While waiting for complete and more generalized compatibility, services will ask you to also activate a second means of authentication in two steps (more classic, such as the code by SMS or the Google Authenticator application).

In July 2018, Google announced a Bluetooth compatible U2F BLE USB key. It will therefore be able to manage authentication on a smartphone.

Since 2019, most of U2F devices are NFC compatible (like yubikey 5 or Google Titan). It’s a must have feature now.

I LOST MY KEY

It’s a bunch of things, but roughly speaking, you will have configured a backup solution (see previous point). You will then be able to connect to your account and separate your key from it. That said, the best way is still to have two keys for each account. The first one at hand, the second one in your safe.