top of page

A Smarter Way Than Passwords

Einstein's allegedly quoted as saying "doing the same thing repeatedly, and expecting different results is the definition of insanity,". My feeling is, he was talking about repeating experiments over and over that don't work. Almost all adult nowadays have an excessive number of accounts, email, banking, social media, newspapers, websites, the list goes on and on. Each requires, we are told, unique credentials. In many cases, website owners host content which really has no need to be password protected, saying "you can have a personalised experience". I'm not sure watching "match of the day" reruns really requires a password, but what can you do when you can't get to the content without one (yes BBC I'm talking about you but your not on your own), its actions like these which have forced the explosion of passwords we all now have. Programmes like KeePass, @Keeper, LastPass etc have helped, but its pretty much only the tech-savvy who are using them. Normal people, rightly or wrongly, have a few passwords they always use. The increased use of social engineering, phishing, keyloggers and other malware is leaving individuals and organisations more at risk of fraudulent use of credentials. It's no surprise the number of data breaches is getting larger as the number of passwords is also increasing.

We need a better more secure solution...

Fortunately, some of the big names on the web already recognised the problem years ago and formed the FIDO Alliance to resolve it. FIDO, short for Fast IDentity Online, is an alliance of hardware and software companies who want to solve the password and phishing problem. They've come up with a number of standards to improve the login experience and simplify the way we use 2-factor authentication, ideally to remove the phishing problem once and for all. Today lets talk about Universal 2nd Factor authentication (U2F). To use it, you'll need to buy a security key. Companies such as Key-ID, Yubico, HyperSec and Feitian all manufacture FIDO certified U2F security keys. They typically come as USB Type-A, with a button or biometric input like a fingerprint reader, other interface types are available such as Type-C, some keys also offer low energy Bluetooth or NFC for simplifying the use of tablets and phones.

Given how simple these keys look to the naked eye, under the hood, some serious tech is going on. This is how they work, at a high level.

When you register your key to your online account, the key generates a random number called a nonce. The nonce is hashed with the domain name of the site your on along with a secret key. This creates a unique private key for your account, this stays on your security key. From the private key, a public key is generated along with a checksum, these are both sent to the server along with the nonce.

When you come to log in to the site, if your security key is not plugged into your computer, you will be prompted by your browser to do so. The server generates another random number, a challenge, which is forwarded to the security key along with the checksum and nonce created at registration.

The key repeats the process applied at registration, which should create the same private key for the account. It then generates a new checksum to confirm the nonce is from the correct server. If everything matches up, the challenge is signed by the private key and sent back to the server. The server verifies the signature using the public key (sent in the original registration process) if everything matches up, you're in, with not a single password typed and you're using seriously strong authentication like ECDSA secp256r1 and HMAC-SHA256.

Remember the hash done at registration of your account, it uses the domain name as an essential part of the registration/authentication process, so if someone tries a Homograph Phishing attack, (using a different character set to make a URL appear the same as a legitimate site, but really its a fake site) the hashed results won't match up, so you will be unable to login to the site. The standard also has provision to stop Man in the Middle (MitM) and cookie hijacks using a technology called Token Binding or Channel ID. This ties the browser session to the server with an addition TLS channel ID.

Another implementation uses the key as the second factor of authentication. If you think about traditional One Time Passwords (OTP), using solutions such as Google authenticator or RSA SecureID. But now replace the generation of the code with a security key, so you no longer have to add the numbers manually, just tap the button on the security key and you have a more user-friendly way of doing multi-factor authentication.

Its possible to pin protect the key, so should it fall into the wrong hands your accounts are safe. Enter the wrong pin too many times and the device is locked. A PUK code is required to unlock it.

So which applications and vendors support U2F, well the list is getting longer, as I understand it. Google has implemented this internally and Chrome was the first browser to support it followed by Opera and Firefox, others to follow. Some of the applications and operating systems to support U2F and Security keys are Gmail/Google apps, Facebook, Dropbox, macOS, Linux, Windows, Duo, Centrify.

Yubico is one of the founder members of FIDO alliance and worked with Google to create to deploy keys within Googles environment. They host a list of some of the supported application, which can be found at https://www.yubico.com/solutions

The FIDO Alliance has some Youtube videos worth a look at.

This one gives an overview of the FIDO alliance https://www.youtube.com/watch?v=5ZIQabDrnT0

This one talks about how security differs when using security keys

https://youtu.be/WWdKfDl2pM8

If you would like to know more, get in touch we would be happy to assist you.

bottom of page