U2F

From Trezor Wiki
Jump to: navigation, search

Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or NFC devices based on similar security technology found in smart cards. While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.

How Does FIDO/U2F Work?

The U2F standard was created to overcome the weaknesses of TOTP (Time-based One-Time Password algorithm or 2FA). U2F uses public key cryptography to verify identity. In contrast with TOTP, the user is the only one to know the secret (the private key).

Benefits of U2F

No shared secret (private key) is sent over the internet at any time. No confidential information will ever be shared, thanks to public key cryptography. It is easier to use. No retyping of one-time codes involved. Privacy. No personal information is associated with the secret. Backup is theoretically easier, although not possible for all U2F keys. Because with U2F there is no secret shared and no confidential databases stored by the provider, a hacker cannot simply steal the entire databases to get access. Instead, he has to target individual users and that is much more costly and time-consuming.

Moreover, it is possible to backup secret (private key). This, on one hand, makes the user responsible for the security, but on the other hand, the user don't need to trust any company to protect his secrets (private keys).

Trezor with U2F

Trezor can serve as a hardware security token for U2F, but with backup/recovery functions and convenience.

How does it work?

When logging into a website, the user generally authenticate himself by providing a username and a password. With Trezor and U2F, the user will have to additionally confirm the login with a click on Trezor device.

Trezor always uses a unique signature for each and every user account registered.

  • Easy to back up and recover Trezor requires the user to back up so-called recovery seed during the initial setup of the device. This is a one-time process for all functions of the device. The recovery seed represents all the secrets (private keys) generated by the device and can be used to restore hardware wallet at any time.
  • Unlimited number of U2F identities, which are all saved under one backup.
  • Secret is safely stored inside Trezor. It will never be shared, as it can never leave the device. No viruses or hackers can access them.
  • Phishing protection with on-screen verification. Trezor always displays the URL of the website the user wants to log into, and what exactly is going to be authorized and therefore it is possible to verify that what was sent into the device is what expected.

The safe characteristics of asymmetric cryptography fall into the security philosophy of Trezor. With the U2F support Trezor, it is possible to secure accounts and identities online.

See also User manual:Two-factor Authentication with U2F and this blog article.