How the FIDO Alliance's U2F could simplify two-factor authentication

We've had enough malware campaigns and data breaches to confirm the need for better data protection online. The Universal 2nd Factor (U2F) standard is a step in the right direction, and the first compatible devices are coming out now.

U2F is an open authentication standard. It was initially developed by Google, but it's now managed by the FIDO (Fast Identity Online) Alliance. The FIDO Alliance also includes household names like Microsoft, Mastercard, Visa, PayPal, Discover, Samsung, and BlackBerry among its members.

Two-factor, or multi-factor authentication has long been promoted as a more effective security mechanism, but it's a hassle, requiring you to juggle passwords with a second factor such as a texted code or an authentication app. U2F proposes to streamline the process using a U2F-enabled USB or NFC key fob, card, or mobile device alongside traditional authentication methods. All you have to do is use a Web browser with built-in support and native drivers.

Users must first register the U2F device with sites or services that support U2F authentication, such as webmail, or banking sites. You must insert the U2F device into a USB port, enter your traditional username and password credentials, and then touch the U2F device to generate secure login credentials. Because successful authentication relies on interaction with the U2F device, U2F protects against common attacks like session hijacking, man-in-the-middle attacks, advanced Trojans, and other malware.

Yubico and Plug-up are the two primary providers of U2F-enabled devices. Today, Duo Security announced that it joined the FIDO Alliance and now offers U2F support in its FIDO-ready products. Duo Security provides cloud-based two-factor authentication for more than 5,000 companies around the world, including Facebook, Toyota, Sony, and Etsy. With Duo Security committing to the FIDO Alliance and supporting U2F, Duo Security customers will now be able to support U2F as well.

Google revealed that it now supports U2F as part of the two-factor authentication for Google sites and services. It also announced that the Chrome Web browser supports U2F authentication. Chrome is available for ChromeOS, Windows, Mac OS X, and Linux, so U2F protection is accessible to users on every major platform.

Two things make U2F a more effective approach to two-factor authentication, and more likely to succeed in gaining mainstream acceptance. First it's an open standard, so it's easier for organizations to implement it. That means that a user with one U2F device can take advantage of two-factor authentication across a potentially vast array of sites and services.

The second factor that will drive the success of U2F is its simplicity. Granted, touching the U2F device is still less convenient than just entering a username and password, but when it comes to two-factor authentication it doesn't get much simpler than that.

The FIDO Alliance and its U2F standard are young, but they can boast major supporters in the tech and financial worlds. As more household names join the party and support U2F authentication, it could emerge as a widely accepted standard for two-factor authentication.

As of right now, the only Web browser that supports U2F is Google Chrome. With Microsoft on board as a member of the FIDO Alliance, though, it seems reasonable to expect Internet Explorer to support U2F in the near future.