Sergey Nivens - Fotolia

How does a U2F security key keep Facebook users safe?

Universal second factor devices can be used to strengthen authentication on major websites such as Facebook. Expert Matthew Pascucci explains how U2F works.

Facebook recently introduced a two-factor authentication service called Security Key. How does Facebook Security Key work, and should organizations encourage employees to use it to prevent their accounts -- and, potentially, their enterprise devices -- from being hijacked?

Facebook recently introduced the ability to use what they call a Facebook Security Key as a second factor of authentication to its site. In order to use this feature within Facebook, the user needs to own a universal second factor device, or U2F security key, to enable login approvals through the security section of their profile.

The universal second factor standard was created by Google and Yubico, and uses the FIDO protocol with standard public key cryptography to provide a secure second form of authentication.

A U2F security key is registered with a service, like Facebook, by approving it during the registration process. This is done by pressing the button on the universal second factor device when prompted, which starts the process of creating the second factor. This approval creates a key pair, in which the public key is sent to the online service and linked to the particular user's account. The private key is kept locally on the universal second factor device, and is never sent to the provider. This registration process creates the key pair for the second factor of authentication that is used each time during login going forward.

When a user with a universal second factor registered device attempts to log in to the site with which they've enabled U2F multifactor authentication, a few things happen. The application will send a login challenge after the user has logged in correctly with their username/password. This challenge will be sent back to the browser. A response is then sent only after the user pushes the button on the universal second factor device. Hitting the button on the device unlocks the U2F security key, also known as the FIDO authenticator, and selects the proper key it used during registration to send a signed response back to the challenge it was sent to authenticate against. Once this signed response makes it back to the service, the site is able to validate the user with the public key it was given during registration. At this point, the user is fully authenticated and able to access the service.

Two-factor authentication is highly recommended to protect account data. It's becoming a standard practice now, and many regulatory compliance initiatives force this approach to protect user accounts.

The universal second factor framework takes the multifactor authentication approach slightly differently. Instead of using a phone or a token that's being authenticated against another service integrated into an application, universal second factor works directly with the application in question, without a middle man. The aim is to have the authentication take place without relying on a third party to authenticate a user, when it can all be done locally and directly with the service itself.

Universal second factor authentication is an interesting approach, and many large sites -- such as Dropbox, Facebook, Google and Salesforce -- are currently accepting it as a second factor. As more applications continue to adopt U2F and FIDO as standards, it's a good idea to use them to secure personal user accounts from being hijacked.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Check out this guide to buying the right multifactor authentication products

Find out what enterprises need to know about the FIDO authentication framework

Learn whether two-factor authentication or multifactor authentication is the better method

Dig Deeper on Identity and access management

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing