FIDO UNIVERSAL SECOND FACTOR (U2F) SPECIFICATIONS OVERVIEW

2

What is FIDO U2F?

3

Simple, Secure, Scalable 2FA

FIDO U2F Core Benefits

• Simple, one touch 2FA

• One device works across

an unlimited number of

sites

• Secures against phishing

and man-in-the-middle

attacks

• No secrets shared between sites, protects user privacy

Notable Services/Apps

4

Easy Two-Step Process

• Cross-platform support

• Across multiple device types

• Contactless and tokenless options

5

Why not just the phone?

• Security

• Accessibility

• Speed

• Reliability

• Durability

• Backup

• Privacy

6

Stats from Google Deployment

• Mandatory for all Google staff and contractors

• Support for Google end-users

All Rights Reserved. FIDO Alliance. Copyright 2016. 7

U2F vs Google Authenticator

• 4x faster to login

• Significant fraud reduction

• Support reduced by 40%

8

Server sends challenge1

Server receives and verifies device signature using attestation cert5

Key handle and public key are stored in database6

Device generates key pair2

Device creates key handle3

Device signs challenge + client info4

Registration

Server sends challenge + key handle 1

Server receives and verifies using stored public key 4

Device unwraps/derives private key from key handle 2

Device signs challenge + client info 3

Authentication

Ind

ivid

ual

wit

h U

2F

Dev

ice

Re

lying P

arty

Relying Party

User Side

U2F Code

USB (HID) API

U2F JS APISecure U2F

Element

Transport

USB (HID)

Web Application

U2F Library

Public Keys +

KeyHandles +

Certificates

User Action

FIDO ClientBrowser

U2F Authenticator

U2F Entities

10

Protocol DesignStep-By-Step

U2F

Device Client

Relying

Partychallenge

challenge

Sign

with kpriv

signature(challenge)

s

Check

signature (s)

using kpub

s

Lookup

kpub

Authentication

U2F

Device Client

Relying

Partychallenge

challenge, origin, channel id

Sign

with kpriv

signature(c)

c, s

Check s

using kpub

Verify origin &

channel id

s

Lookup

kpub

Phishing/MitM Protection

U2F

Device Client

Relying

Partyhandle, app id, challenge

h, a; challenge, origin, channel id, etc.

c

a

Check

app id

Lookup

the kpriv

associated

with h

Sign

with kpriv

signature(a,c)

c, sCheck s

using kpub

Verify origin &

channel id

s

h

Lookup the

kpub

associated

with h

Application-Specific Keys

U2F

Device Client

Relying

Partyhandle, app id, challenge

h, a; challenge, origin, channel id, etc.

c

a

Check

app id

Lookup

the kpriv

associated

with h

Sign

with kpriv

counter++

counter, signature(a,c, counter)

counter, c, sCheck s

using kpub

Verify origin,

channel id &

counter

s

h

Lookup the

kpub

associated

with h

Device Cloning

U2F

Device Client

Relying

Partyapp id, challenge

a; challenge, origin, channel id, etc.

c

aCheck

app id

Generate:

kpub

kpriv

handle h kpub, h, attestation cert, signature(a,c,kpub,h)

c, kpub, h, attestation cert, s

Associate

kpub with

handle h

for user

s

Registration + Device Attestation

Adding U2F Support

Original DB

Original

Database

user_id Password#

JohnDoe4^hfd;`gpo

U2F Database

U2F DB

Relation

Relying Party

user_id Meta U2F Data

JohnDoeYubico, Security

Key, USB

key handle, public

key, certificate

JohnDoe

Yubico, YubiKey

NEO, USB + NFCkey handle, public

key, certificate

Mobile FIDO U2F/FIDO 2.0

• NFC (today)

Tap U2F device on NFC phone

• Bluetooth (Q4, 2016)

Touch button on Bluetooth

U2F device

• Mobile client (in development)

SDK for app developers

(passwordless, tokenless, using

device biometrics to unlock)

• Future: FIDO 2 Device-to-device

17

U2F Ecosystem Beyond Chrome

● Mozilla Firefox (in development)

● Microsoft Edge (in development)

○ seamless upgrade path to FIDO 2.0

● Native client

○ Dashlane password manager client

○ Windows credential provider with U2F

○ Opensource host libraries available

18