Michaela Merz's personal blog site

FIDO U2F in Web Sites

FIDO U2F in Web Sites

A bit chunk of breached confidential data, containing millions of e-mail addresses and passwords, were -again- made public a few days ago. How can we protect our user’s data and accounts?

It is simply mind-boggling that some developers in this day and age still store poorly protected (or even with no protection at all) passwords in their databases. Even simple hashes (such as unsalted MD5 or SHA1) are no longer considered safe. But using modern mechanisms to protect the data in our realm might not be enough anymore – how can we protect the users (and our reputation) against .. well .. their own stupidity?

Most of us are aware of the fact that there’s something called MFA or 2FA – Multi / Two Factor authentication. It usually works by sending a unique pin-code to the user’s phone. He will have to enter this pin-code with the other credentials during the login process. This however requires the user to disclose his phone-number to a website – and it again may only be poorly protected and stolen. The growing wave of unsolicited spam-calls may give you an idea what happens when phone-numbers get into the wrong hands.

We @packfrog don’t want user’s phone numbers. As a matter of fact, we want as little data from our users as possible. That’s why we incorporated U2F – the universal 2nd factor. This method requires the user to buy a security key (around $20) that can be used not only with packfrog, but with services like Google, Dropbox, Facebook and others.

Here’s how it works: The user registers his key with your web-site and in the process, you get a “handle” and the security key’s public key.

var registerRequest = {
     challenge: "unique Challange",pfs.chlg,
     version: 'U2F_V2'
     }
 u2f.register(host, [registerRequest], [],
     (response) => {
          storeResponse();
          }
     )    

It’s really *that* easy. As the key works with a variety of hosts or services, the “handle” is a token that is calculated into the security key’s public key. So you need to store both, the public key and the handle.

During the login-sequence, you craft a unique challenge string, send it, together with the data stored during key-registration, and have the security key sign it. You may then verify the signature on your server.

The U2F method is natively supported on Chrome (even on mobile via NFC) , Firefox and Opera (in Firefox, you may need to activate “security.webauth.u2f” in the “about:config” settings.

So – what’s the advantage? You don’t need to request, keep and protect the user’s phone number. You don’t have to use an external service to send messages to the user’s phone. You don’t have to keep your time in super-perfect sync or keep secret shared passwords (a requirement for TOTP). You don’t even need a network connection to use 2FA for local authentication. It also works automatically and there’s nothing to type in. Users can use the same security key for a lot of web-sites – I use it, among other things, for my packfrog and Google mail accounts and hard disk encryption. It’s easy to implement with libraries available for a lot of common environments. There are even plugins available for wordpress installations. Might not be a bad idea either.

The data disclosed by the security key gives no access to confidential crypto-elements and there’s no way to extract any unique characteristics that could be used for tracking across other web-sites. And users can’t just plug the key in and forget about it. One important factor is the requirement that any operation with a security key requires human interaction – usually a button on the key has to be pressed.

As I mentioned before, we implemented it into the packfrog environment and users are quite happy about it. Sure – they have to spend $20 or so to get a key. But for some, this little investment offers a lot more protection with privacy attached.

Here are few links to get you started:

https://developers.yubico.com/U2F/
https://github.com/Yubico/php-u2flib-serv

https://github.com/grantila/u2f-api

Michaela Merz is an entrepreneur and first generation hacker. Her career started even before the Internet was available. She invented and developed a number of technologies now considered to be standard in modern web-environments. Among other things, she developed, founded, managed and sold Germany’s third largest Internet Online Service “germany.net” . She is very much active in the Internet business and  enjoys “hacking” modern technologies like block chain, IoT and mobile-, voice- and web-based services.

Leave a Reply

Your email address will not be published. Required fields are marked *