U2F and Adaptive MFA

Universal Second Factor, or U2F, is an authentication standard that simplifies multi-factor authentication (MFA) by using physical devices as part of the user authentication workflow. After a user enters their login credentials, they simply press or tap a small device inserted in their computer’s USB port, which acts as their second factor. It’s convenient -- no driver installation required, just a supported browser. It’s also secure. U2F prevents attacks like keylogging, phishing, and man-in-the-middle.

U2F was created and released by the FIDO Alliance, in an attempt to provide a safe and easy way for internet users to log in. Google was a cofounder of the U2F group inside FIDO and now supports adding U2F as a second factor. A new set of specifications, built on top of U2F, FIDO2, was also recently released by the FIDO Alliance.

Many prominent websites and applications support U2F, including, but not limited to: Facebook, Bitbucket, GitHub, Gmail, and YouTube.

When it comes to browsers, the following currently provide U2F support:

• Google Chrome, version 38 and above
• Mozilla Firefox, version 57 and above
• Opera, version 40 and above
• Safari, on OS version 13.5.1 and above

On iOS devices, U2F can be used via Safari, whereas on Android devices, the U2F support is offered by both Google Chrome and the default Android browser.

The portable U2F hardware can take the form of a USB, a Bluetooth-LE, or a Near-field communication device. These devices can be used to securely log in to any website on the internet that supports the U2F protocol. Here’s how a typical two-factor authentication with U2F works:

1. The user visits a website (www.example.com), also known as the origin, that supports U2F. They open an account on the website and register their U2F device with it.
2. The device creates a pair of keys: a public key and a private key. It securely stores the private key itself and asks the website to associate the public key with the user account. This unique key pair can only be used to login at www.example.com.
3. After the user enters their login credentials at www.example.com, the website generates a unique challenge, using the user’s public key. The challenge can only be solved using the private key stored within the U2F device.
4. Upon receiving the challenge, the U2F device signs it, using the private key for www.example.com, and sends it back to the website.
5. The website verifies the unique signature, and allows the user to log in.

Remember, this five-step process may appear complicated, but it all happens behind-the-scenes. As far as the end-user is concerned, they just have to insert the U2F device and press a button (or tap).

The same U2F device can be used to register at different sites on the internet. Think of a U2F device as your personal, virtual keychain. This allows you to seamlessly and securely log in to your favorite websites.

No authentication mechanism is categorically impervious to hacking. With that said, thus far, no breaches or vulnerabilities have been reported in the U2F protocol.

By design, it protects against phishing attacks. Even if a user is tricked into thinking that a fake website is real, the authentication will fail because of the public-private key mismatch.

U2F is also very good at detecting man-in-the-middle (MITM) attacks. Let’s suppose someone tries to intermediate the communication between a website and a user during the authentication process. As soon as the man-in-the-middle interferes, the U2F device will stop responding because it will notice that the origin of the challenge is different from the registered one.

Not all authentication requests are created equal. Adaptive multi-factor authentication uses the context of a login attempt to determine in real-time which authentication rules and policies to apply. AMFA uses various factors like consecutive login failures, level of requested access, IP address, location, device IDs, and time, etc. to tailor a user’s login experience.

Only use MFA when a user is determined to be of a high risk, for instance, using multiple incorrect login attempts, the request originating from a device not officially registered, or a login request for a server with sensitive data after office hours. By using adaptive multi-factor authentication, companies can:

• create a much-needed balance between user experience and strong security
• make it easy for trusted, low-risk people to log in
• make it incredibly hard for potential intruders

MFA protects against password-related breaches by adding another layer of security. However, making end-users enroll for multi-factor authentication can sometimes be hard. And it makes sense. Waiting for and then entering a one-time password (OTP) can be a nuisance for people, especially if they have to do it multiple times a day. Users just want to browse their social media feed, read an article, or stream a TV show; they don’t see a point in adding a second authentication factor for these seemingly trivial activities. Sure, you can make MFA compulsory, but that will (often) come at the cost of customer unhappiness.

Creating a fine balance between security and user experience is hard, but oh-so-important. This is where adaptive MFA can come in handy. With adaptive MFA, if the primary factor authentication for a user doesn’t look suspicious or high-risk, they often don’t have to provide a secondary factor. This enhancement of the traditional MFA approach makes life much more convenient for regular users. For example:

Scenario 1: Consider a scenario where a customer, say Allan, logs in to a web portal. He is on the same laptop that he has been using ever since he registered on the website. His IP puts him in the same city as always. He got the password right in the first attempt. These, along with other factors, are used to determine that it’s indeed Allan who is trying to log in, and thus, the system doesn’t ask him to provide a second factor.

Scenario 2: Now, imagine a hacker, say Adam, gets Allan’s login credentials. When Adam tries to log in, the system realizes that the login request has come from a new device and from a different geographical location. It classifies this request as high-risk and prompts Adam to provide a second factor. Since Adam can’t comply, the access is declined.

Adaptive MFA is a win-win for both end-user and service provider. The service provider is able to implement a rigorous-but-customer-friendly security policy and the end-user doesn’t have to provide secondary factors most of the time. But what if we combined U2F and adaptive MFA to form an even more customer-centric and impregnable authentication solution?

On the rare occasion that a customer has to provide a second factor, all they have to do is tap or press a button on their U2F device. This is much more convenient than opening another app to retrieve a passcode or waiting for an OTP message to arrive. For the service provider, this is far securer as well since the device communicates directly with the browser and it’s virtually impossible to replicate the key signature.

U2F reduces the risk of phishing, man-in-the-middle, and other dangerous cyberattacks while simplifying two-factor authentication. Adaptive MFA doesn’t ask regular users for secondary factors, but enforces it strictly at the first sign of suspicion. Using both together makes for a simple-yet-secure login.