Difference between revisions of "FIDO U2F"
From MgmtWiki
(→Solutions) |
(→Solutions) |
||
Line 17: | Line 17: | ||
* So the USB U2F device is designed to work out of box with existing consumer operating systems with no driver installs or software changes. | * So the USB U2F device is designed to work out of box with existing consumer operating systems with no driver installs or software changes. | ||
* USB device hardware key protection is the default, but other protection is provided with an [[Attested|Attestation]] mechanism. | * USB device hardware key protection is the default, but other protection is provided with an [[Attested|Attestation]] mechanism. | ||
+ | * The U2F device mints an origin-specific public/private key pair based on the origin's protocol (http(s)), host-name and port. | ||
+ | * The U2F device gives the public key and a Key Handle to the origin online service or website during the user registration step. | ||
+ | * The Key Handle is simply an identifierof a particular key on the U2F device. | ||
+ | * | ||
"Why Johnny Doesn’t Use Two Factor: A Two-Phase Usability Study of the FIDO U2F | "Why Johnny Doesn’t Use Two Factor: A Two-Phase Usability Study of the FIDO U2F |
Revision as of 16:17, 30 August 2018
Full Title or Meme
A family of standards[1] for adding more factors to an existing interchange.
Context
This spec is partially succeeded by Web Authentication.
Problems
Existing Authentication protocols based on a User Name and Password are insufficient in a world were so many Users depend on the internet for so much of their daily lives. The first attempt at Multi-factor Authentication was Smart Cards using X.509 Certificates. This scheme worked for large Enterprises but was never accepted by regular Consumers of the internet.
Solutions
- All solutions depend on Late Binding Tokens that "account at a particular origin (of the Relying Party, such as http://www.company.com) the device creates a new key pair usable only at that origin and gives the origin the public key to associate with the account."
- Universal Serial Bus (USB) tokens are now widely available, most allow late binding of the user to the Web Site that requires this factor of Authentication.
- Other networks, link NFC or Bluetooth are offered for small hand-held devices, but have not been as successful as the USB versions.
- Initially the U2F functionality is available through JavaScript programs in the browser.
- The spec claims that the same functionality could be embedded in Native Apps in the browser, but does not explain how this might be trustworthy.
- The goal of the working group was that modern client device owned by the user would just work without needing additional driver or middleware setup.
- So the USB U2F device is designed to work out of box with existing consumer operating systems with no driver installs or software changes.
- USB device hardware key protection is the default, but other protection is provided with an Attestation mechanism.
- The U2F device mints an origin-specific public/private key pair based on the origin's protocol (http(s)), host-name and port.
- The U2F device gives the public key and a Key Handle to the origin online service or website during the user registration step.
- The Key Handle is simply an identifierof a particular key on the U2F device.
"Why Johnny Doesn’t Use Two Factor: A Two-Phase Usability Study of the FIDO U2F Security Key" https://fc18.ifca.ai/preproceedings/111.pdf
References
- Angelo Liao +1, Introducing Web Authentication in Microsoft Edge. (2018-07-30) Microsoft https://blogs.windows.com/msedgedev/2018/07/30/introducing-web-authentication-microsoft-edge/
- Also see the page FIDO UAF for the Universal Authentication description.