What is U2F?

U2F is an open authentication standard that enables keychain devices, mobile phones and other devices to securely access any number of web-based services — instantly and with no drivers or client software needed. U2F was created by Google and Yubico, with contribution from NXP, and is today hosted by the open-authentication industry consortium FIDO Alliance. The technical specifications were launched in late 2014, including native support in Google Accounts and Chrome, and have since resulted in a thriving ecosystem of hardware, software and service providers.

u2f_workflow.png
U2F is used with USB devices, including YubiKeys, as one of many authentication methods

U2F Advantages

Strong security

Strong 2nd factor authentication, using public key crypto and with native support in the browser (starting with Chrome). Protects against phishing, session hijacking, man in the middle, and malware attacks.

Easy to use

Works out-of-the-box, enabling instant authentication to any number of services. No codes to re-type and no drivers to install.

High privacy

Allows users to choose, own and control their secure online identity. Each user can also choose to have multiple identities, including anonymous (no personal information associated with the identity). A U2F device generates a new pair of keys for every service, the public key is only stored on the specific service it connects to. With this approach no secrets are shared among service providers, and even low-cost U2F devices can support any number of services.

Multiple choices

Designed for existing phones and computers, for many authentication modalities (keychain devices, mobile phone, fingerprint reader, etc.) and with different communication methods (USB, NFC, Bluetooth).

Interoperable

Open standard backed by leading Internet and financial services, including Google, Bank of America and 170 companies in the FIDO Alliance. U2F allows every service provider to be their own identity provider, or optionally let users authenticate through a federated service provider.

Cost-efficient

Yubico was the first to provide U2F devices, but users can today choose from a range of low-cost devices from multiple vendors, available at Amazon and other retail stores worldwide. Yubico offer free and open source server software for back-end integration.

Secure recovery

Users are recommended to register at least two U2F devices with every service provider, which may optionally also provide the user with a backup code should a U2F device be misplaced.

How it works

This diagram explains the basic process flow of U2F:

index__1.png
Note

For information about U2F and the implications of Apple’s iOS 13.3, see: Supporting U2F/FIDO2 Security Keys on iOS/iPadOS.

Implementing

Note
U2F is a newer protocol and is only supported by Google Chrome/Chromium (v38+), Mozilla Firefox (v57+), and Opera (v40+) browsers. The current version of Firefox (v57) requires additional configuration for U2F to work, see the Mozilla Wiki for more details. We provide three alternatives:
  • Plugins for Content Management Systems (CMS), such as Wordpress and Django. This is the easiest alternative if you are using a supported CMS.

  • Standalone authentication server that your server can query using a simple REST API. This is ideal if you want to make as few changes as possible to your existing code and database.

  • Libraries for programming languages. With these, you have the flexibility/burden to store and access U2F artifacts yourself. This is ideal if you don’t want to deploy a standalone validation server.