Beyond Crypto: Securing Accounts with U2F
|– To increase the protection of your accounts (such as e-mail), two-factor authentication (2FA) was introduced|
– Traditional 2FA methods do have their shortcomings still and can fall prey to attacks
– U2F is the next level in 2FA, where a specialized device needs to be connected in order to login
– Ledger devices can be used as U2F thanks to the FIDO app, drastically increasing the protection of your digital accounts
More and more we read about e-mail accounts being hacked or our precious passwords being available online. This can have drastic consequences – from sensitive data being taken to money being stolen through it. Fortunately, there is an easy way to increase their security: We’d like to introduce you to Universal Second Factor (U2F) authentication – a form of two-factor authentication hosted by the FIDO Alliance.
Common 2FA methods and their shortcomings
Two-factor authentication (2FA) is an added layer of security to accounts where sensitive data or crypto assets are held. Along with your usual login ID and password, 2FA asks users to enter another specific set of information that only the user could know. Most common versions of 2FA take place through a mobile phone, either through getting a code through SMS or e-mail or by using an application giving you a 2FA code such as Google Authenticator or Authy.
SIM Swapping is a common form of social engineering explicitly designed to circumvent user 2FA using SMS verification. Once this remote attack is successful, this leaves any sensitive information in your account within the attacker’s grasp. While an improvement from 2FA by SMS, the Google Authenticator app comes with some shortcomings of its own. For example, slow rollouts of updates, a lack of passcode protection, and no database backup make the app vulnerable to more sophisticated attacks.
So what would be a good 2FA method then?
Next-level 2FA: Meet U2F
Universal Second Factor authentication – or U2F in short – refers to a completely separate device that holds a secret, extra key vital to logging into your digital account. Rather than needing to enter a certain code, a user would just need to plug a device. The technology was initially created by Google and Yubico and relies on USBs paired with near-field communication (NFC) chips typically embedded in smart cards.
The critical information used for logging in is kept secure on the device, thus 2FA is bolstered by a storage backup of the user identity, and the physical device is required to access U2F-enabled interfaces. The standard is now compatible with many popular web browsers, such as Google Chrome.
An extension of the FIDO Alliance’s bid to improve authentication methods, U2F expands on the concept of 2FA in some critical ways.
Ledger and FIDO: The U2F Dream Team
At Ledger, we have expanded on the promising security improvement of 2FA by implementing our own U2F FIDO-certified application into our hardware devices. As an Associate Member of the FIDO Alliance, thanks to co-founder and CTO Nicolas Bacca, our Ledger FIDO security is actually the second commercial implementation for the vaunted, open-source Plug-Up/Happlink.
Our entropy-leading random number generator (RNG) for hardware wallet 24-word mnemonic phrases is also a storage redundancy for the user’s U2F identity, an improvement over Google Authenticator. Should users lose their hardware device, have it stolen, or it malfunctions, their U2F authentication is saved — tied to their unique identity.
What’s more, users are required to enter a PIN to access the device, which is offline from the connection to the computer or phone’s Internet. This adds yet another layer of security for your 2FA.
As a result, Ledger FIDO has some compelling advantages over conventional 2FA methods – and even has a step up from some other U2F devices thanks to its additional PIN protection.
It is important to note that Ledger FIDO is not related to cryptocurrencies. It is an additional security utility for users that is compatible with Ledger Nano X & S, along with web services like Dashlane, Facebook, Github, Dropbox, Gmail, and more.
Ledger hardware devices consequently function as state-of-the-art security interfaces for your data, besides being the leading hardware wallet in the crypto industry.
Our team is also currently working on extending the advantages of our FIDO U2F implementation as well. The next FIDO open-source generation, called FIDO 2, will support transaction authorization extensions. This development empowers users to rely on the display of their hardware device to securely validate critical data and enforce the validation from end-to-end.
The FIDO Alliance is pioneering the road to a more secure authentication experience for digital interactions where users can rely less on their passwords. We are proud to be part of the FIDO Alliance and look forward to its future developments that can help bolster the utility and security of our hardware devices for our customers.