Sergey Nivens - Fotolia
How does a U2F security key keep Facebook users safe?
Universal second factor devices can be used to strengthen authentication on major websites such as Facebook. Expert Matthew Pascucci explains how U2F works.
Facebook recently introduced a two-factor authentication service called Security Key. How does Facebook Security Key work, and should organizations encourage employees to use it to prevent their accounts -- and, potentially, their enterprise devices -- from being hijacked?
Facebook recently introduced the ability to use what they call a Facebook Security Key as a second factor of authentication to its site. In order to use this feature within Facebook, the user needs to own a universal second factor device, or U2F security key, to enable login approvals through the security section of their profile.
The universal second factor standard was created by Google and Yubico, and uses the FIDO protocol with standard public key cryptography to provide a secure second form of authentication.
A U2F security key is registered with a service, like Facebook, by approving it during the registration process. This is done by pressing the button on the universal second factor device when prompted, which starts the process of creating the second factor. This approval creates a key pair, in which the public key is sent to the online service and linked to the particular user's account. The private key is kept locally on the universal second factor device, and is never sent to the provider. This registration process creates the key pair for the second factor of authentication that is used each time during login going forward.
When a user with a universal second factor registered device attempts to log in to the site with which they've enabled U2F multifactor authentication, a few things happen. The application will send a login challenge after the user has logged in correctly with their username/password. This challenge will be sent back to the browser. A response is then sent only after the user pushes the button on the universal second factor device. Hitting the button on the device unlocks the U2F security key, also known as the FIDO authenticator, and selects the proper key it used during registration to send a signed response back to the challenge it was sent to authenticate against. Once this signed response makes it back to the service, the site is able to validate the user with the public key it was given during registration. At this point, the user is fully authenticated and able to access the service.
Two-factor authentication is highly recommended to protect account data. It's becoming a standard practice now, and many regulatory compliance initiatives force this approach to protect user accounts.
The universal second factor framework takes the multifactor authentication approach slightly differently. Instead of using a phone or a token that's being authenticated against another service integrated into an application, universal second factor works directly with the application in question, without a middle man. The aim is to have the authentication take place without relying on a third party to authenticate a user, when it can all be done locally and directly with the service itself.
Universal second factor authentication is an interesting approach, and many large sites -- such as Dropbox, Facebook, Google and Salesforce -- are currently accepting it as a second factor. As more applications continue to adopt U2F and FIDO as standards, it's a good idea to use them to secure personal user accounts from being hijacked.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Check out this guide to buying the right multifactor authentication products
Find out what enterprises need to know about the FIDO authentication framework
Learn whether two-factor authentication or multifactor authentication is the better method
Dig Deeper on Identity and access management
Related Q&A from Matthew Pascucci
What's the difference between sandboxes vs. containers?
Understanding the differences between sandboxes vs. containers for security can help companies determine which best suits their particular use cases. Continue Reading
Identifying and troubleshooting VPN session timeout issues
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading
The differences between web roles and worker roles in Azure
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading