Some of us still remember the hacker attack on PlayStation Network servers. In 2011, one of the largest attacks of this type in history occurred: it is estimated that 77 million accounts have been hacked. The stolen user data included payment card numbers or addresses provided by users when setting up the account. And although attacks on this scale are rare, we are increasingly vulnerable to online crime. The theft of sensitive data, passwords, or the takeover of a Facebook account are common problems for people living in the 21st century.
A password for any website is no longer a good security measure. Even if we use special characters, uppercase and lowercase letters in the account creation process, we cannot be sure that it will not be broken. When logging in, we still type the same string, and this process leaves a trail on the network. So it may happen that the world’s best password invented by us will be cracked by a hacker who will gain access to all information about us – from holiday photos, through sensitive customer data to our card numbers. None of us wants to wake up in the morning and discover that our Facebook profile has been taken over by a criminal. However, there is a simple way that allows you to secure the login process against potential hacker attacks. Security keys, also referred to as a “user’s physical web keychain”, do you know what they are?
U2F security keys – what exactly are they?
U2F security keys are physical devices that provide two-factor authentication by using the user’s private key to verify their identity. These keys are designed to enhance security on a physical device by requiring the user to physically possess the device and have access to their private keys in order to authenticate.
U2F stands for Universal 2nd Factor and is an open authentication standard developed by the FIDO Alliance. The private key is securely stored on the U2F secure element, and is used to authenticate the user without revealing the private key to the client software. This provides an added layer of security a particular user’s identity, as even if an attacker gains access to its password, they would still need the physical U2F security key to access the account.
Google as well as hundreds of other websites and services offer their users two factor authentication and verification options when logging in to individual servers. This type of login requires two actions: first, enter your login and password, and then confirm the login using an external token. The token can be a very popular SMS password, sent to our phone number (not a very secure option, easily subject to attack).
A better alternative are U2F keys, as a secure element that will verify identity strongly. The use of security keys will be useful to everyone in everyday life, although it is recommended primarily to professional groups particularly vulnerable to online attacks (these are, among others, journalists, activists, politicians). Two factor authentication combined with the use of U2F security keys will help us effectively protect against phishing and other hacker attacks.
Most of us would faster associate the name “U2F security key” with NASA’s complex space technology than with a common office work tool. The enigmatic name, however, is not fully adequate to the item that easily fits in our pocket. The security keys looks like USB devices. Small devices that effectively (and quickly!) help you protect yourself against online attacks. You can easily buy keys on the internet, but remember to choose a reputable store.
The U2F keys are also easy to use and, contrary to the complicated name, will not complicate your daily live in any way. There is even a chance that a U2F key will speed up things – thanks to this small device you do not have to wait for and then type in long SMS codes every time you log in. The credentials are served automatically when you press the button on the token. It really couldn’t be easier (or safer).
There are keys on the market that support different methods of communication and authentication. We can buy tokens that work with laptops or mobile devices (yes, we can easily connect them to our smartphones using NFC). The keys work offline: we don’t need internet connection or online services to generate passwords.
U2F technical overview: Public and private keys
A key pair for a U2F (Universal 2nd Factor) security key consists of a public key and a private key. The private key is securely stored on the U2F security key and never leaves the device, while the public key is shared with the server during the authentication process.
When the user logs in to a service with a U2F security key, the server sends a challenge to the device, which is used to create a digital signature using the private key. The signature is sent back to the server, along with the public key, to prove the user’s identity. The public key is used to verify the digital signature and authenticate the user.
The U2F security key is designed to protect the user’s private key from being compromised, even if the device is lost or stolen, by requiring physical possession of the key in order to authenticate.
Advantages of using U2F keys
Since we already know what security keys are, it is worth considering the advantages of using them. Sure, many of them are obvious and automatically come to mind, but some of them are worth pointing out and discussing separately. There are many benefits of using security keys:
- Security – the most obvious and important of all advantages of having a U2F key. The use of a security key in combination with two-step verification will protect us against phishing, session interception or data theft. In addition, the key will not work when logging into a fake domain.
- Ease of use – the key is very handy and small, so you can always have it on you on a keychain. The use of it will also not be a problem: just insert it via a USB port to your computer and generate a password by pressing the button.
The keys do not store data, so even if you lose a token somewhere, nothing will happen, your data will still be safe – just buy a new key.
- They allow you to keep your privacy –thanks to the use of keys, you have full control over our online identity. You have all passwords and codes under control, you can also be sure that you will log in only to original and authorized websites.
- Wide selection of options – there are different types of keys available on the market. Thanks to that you will definitely be able to choose a product fully adapted to your needs. Tokens are designed to support many authentication methods and different communication methods (USB and NFC).
- Price variety – we know that the security of data is priceless. However, buying a U2F key will not strain your wallet. Yubikey, the most popular key manufacturer on the market, are sells devices for around 45 USD. That’s a small price for good night sleep, protection, and password security, right?
- Internet identity protection – Internet identity is nothing more than data that you, as a user of portals and websites, share and leave during everyday activities. It depends on you whether you will appear under the full name or nickname. The use of security keys will help you consciously manage the data you share on the web.
U2F keys are a trending method of protecting yourself against online identity attacks and theft. The keys work with most popular portals and websites, such as Google Workspace, Dropbox, GitHub or Facebook. Contact an FOTC specialist to get the best price of U2F devices for your employees.