Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication (2FA) by using specialized USB or NFC devices based on a similar security technology found in smart cards. While initially developed by Google and Yubico, with a contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.
How Does FIDO/U2F Work?
The U2F standard was created to overcome the weaknesses of TOTP (Time-based One-Time Password algorithm or 2FA). U2F uses public key cryptography to verify identity. In contrast with TOTP, the user is the only one to know the secret (the private key).
Benefits of U2F
No shared secret (private key) is sent over the internet at any time. No confidential information will ever be shared, thanks to public key cryptography. It is easier to use. No retyping of one-time codes involved. Privacy. No personal information is associated with the secret. Backup is theoretically easier, although not possible for all U2F keys. Because with U2F there is no secret shared and no confidential databases stored by the provider, a hacker cannot simply steal the entire databases to get access. Instead, he has to target individual users, which is much more costly and time-consuming.
Moreover, it is possible to back up a secret (private key). This, on the one hand, makes the user responsible for the security, but on the other hand, the user doesn't need to trust any company to protect his secrets (private keys).
Trezor with U2F
Trezor can serve as a hardware security token for U2F, but with backup/recovery functions and convenience.
How does it work?
When logging into a website, the user generally authenticates himself by providing a username and a password. With Trezor and U2F, the user will have to additionally confirm the login with a click on the Trezor device.
Trezor always uses a unique signature for each and every user account registered.
- Easy to back up and recover Trezor requires the user to back up the recovery seed during the initial setup of the device. This is a one-time process for all functions of the device. The recovery seed represents all the private keys generated by the device and can be used to restore the linked wallet at any time.
- Unlimited number of U2F identities, which are all saved under one backup.
- The recovery seed is safely stored inside Trezor. It will never be shared, as it can never leave the device. No viruses or hackers can access it.
- Phishing protection with on-screen verification. Trezor always displays the URL of the website the user wants to log in to, and what exactly is going to be authorized; therefore it is possible to verify that what was sent to the device is what is expected.
The safe characteristics of asymmetric cryptography fall into the security philosophy of Trezor. With U2F support in Trezor, it is possible to secure accounts and identities online.
- U2F is enabled in Chrome/Chromium browsers out of the box
- In Firefox you need to enable U2F manually:
about:configinto the Firefox address bar and press Enter
- Search for
- Double-click on
security.webauth.u2fto enable U2F (or right-click and select Toggle)