Can WebAuthn and U2F finally give us safe and easy Two-Factor authentication?

The SolarWinds security fiasco, which Microsoft president Brad Smith described as “the largest and most sophisticated attack the world has ever seen,” may have begun, suggested former SolarWinds CEO Kevin Thompson when an intern first set an important password to “‘solarwinds123” and then shared it on GitHub. That was bad. Worse was a company that ever allowed an intern to set such a password. It’s time, well past time, to say good-bye to simple passwords and move to two-factor authentication (2FA) for all our security and Identity and Access Management (IAM) needs.

You might think that’s not so hard. Doesn’t every social network and business with an even pretense of caring about security use 2FA where the second factor is a six-digit number sent to your cell phone number? Well, while using a smartphone for 2FA is OK, a really determined adversary can intercept your smartphone 2FA traffic. So, while personally you might be happy to use texting for your Facebook account, professionally, you’ll be better off using a more sophisticated 2FA for your Microsoft 365 or Google Workspace.

Here’s why.

What’s what in 2FA

With 2FA you must have two out of three kinds of credentials to access an account. These are:

• Something you know or can be given, this is commonly a one-time PIN.
• Something you have, such as a secure ID card, a cellular phone, or a hardware security key.
• Something you are, these are biometric factors such as a fingerprint, retinal scan, or voice print.

Phone-based 2FA typically relies on one of two standards: HMAC-based One Time Password (HOTP) and Time-based One Time Password (TOTP). They’re both good and used all the time. But, the way they’re implemented, which is most often in text-based 2FA, that’s another matter.

Indeed, the National Institute of Standards and Technology (NIST) says using text-based 2FA is risky. Many security experts think you should stop using text-based 2FA altogether.

That’s because there are way too many ways to break text-based 2FA. There’s  SIM swapping, text-spoofing, SMS phishing (aka smishing), and security holes in the SS7 network, which telecoms use to manage calls and texts between phone numbers.

But, here’s where I differ from most security experts, for most users most of the time, these methods will work just fine. Yes, there are at least three different, effective methods to bust text-based 2FA. But, each requires real effort from a would-be attacker.

So, if you’re say, Jack Dorsey, Twitter’s CEO, or have someone who’s technically adept as an enemy then you want more than text-based 2FA. I mention Dorsey because his Twitter account was hijacked thanks to a SIM swap attack.

The next step up from the text-based approaches are authenticator apps. These programs such as Authy, Duo Mobile, Google Authenticator, LastPass Authenticator, and Microsoft Authenticator. They also use HOTP or TOTP.

Many online services, including Amazon, Dropbox, Facebook, PayPal, Slack, and Twitter support app authenticator-generated codes. But, all-in-all, text-based codes are still more widely accepted.

The advantage smartphone-based authenticator apps have over text is that there are far fewer ways to attack them. That said, you’re still attackable by phishing methods. For example, someone can send you to a phishing website that acts as a proxy. This works by playing a man-in-the-middle attack where it intercepts your 2FA code and the real’s site session cookie responses. The result? You think you’re at the right site, but your security information has been harvested for an attack. 

2FA for users who need solid security

But, let’s say you need more serious protection. In that case, you need a stronger 2FA. These are the FIDO Alliance’s FIDO2 Universal 2nd Factor (U2F) standard and WebAuthn.

Before talking about U2F and WebAuthn, though, let’s look at the FIDO Alliance. It’s an open industry consortium on a mission to rid the world of most of its passwords by using more reliable authentication standards.

The FIDO Alliance is trying to do this in two ways. One is to make 2FA easier to use. The people behind FIDO know from bitter experience that no one uses security measures if they’re difficult to use. That’s one reason why even now people use passwords like “password,” “123456,” or “asdfg.”

The other is by supporting FIDO protocols, which use standard public-key cryptography (PKI) techniques to provide stronger authentication. In FIDO standards, whenever you register with an online service, your device creates a new key pair. It retains the private key and registers the public key with the online service.

Then, authentication is commonly done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. To make the local unlock work you use a user–friendly, secure action such as swiping a finger, entering a PIN, speaking into a microphone, or connecting a U2F compatible device.

U2F

U2F was created by Google and Yubico, with support from NXP Semiconductors. It’s an open authentication standard that enables keychain devices, mobile phones, and other devices to securely access any number of web-based services — instantly and with no drivers or client software needed. Today, U2F hosted by the open-authentication industry consortium FIDO Alliance.

You may be wondering if using a PIN can work with U2F, how is that different from a password? The answer is a PIN never leaves your device, its sole job is to unlock the security key so it can do its job. PINs never leave your security key nor is ever sent across the network. A password, on the other hand, is sent across a network to the service for validation, and that can be phished.

U2F is also designed from the ground up to protect your privacy. When you use FIDO, it doesn’t leak information, which can be used to track you across the internet. If your FIDO device uses biometric information to identify you, that data never leaves the hardware.

While people often assume that U2F is a Yubico-specific security standard for its well-known Yubikey product line, that’s not the case. Besides Google, you can also get U2F security keys from such vendors as Thetis, FEITAN, and Cisco/Duo. You can also set up Android phones and iPhones to act as U2F devices. To connect the key with your computer, program, or service you’ll use USB, NFC, or Bluetooth.

U2F is supported by all mainstream web browsers. It’s also supported by many internet services such as 1Password, Amazon Web Services (AWS), Cloudflare, GitHub, and hundreds of others. 

But, always remember “Security isn’t a product, it’s a process.” Even U2F fobs have their security problems. For example, French security researchers have discovered a way to clone the secrets from within Google Titan and YubiKey hardware security keys’ chips. The good news is that to pull this hack off requires physical access to the keys and Mission Impossible-style hardware hackery.

Nation-state hackers have also got hacked hardware security 2FA keys. Still, Google has claimed that no one has been phished at their company since their staffers now all must use physical security keys.

WebAuthn

As good as U2F is, though, demanding users have wanted more so the FIDO Alliance with the World Wide Web Consortium (W3C) came together to create WebAuthn. This is essentially a U2F upgrade. It incorporates features from FIDO’s Universal Authentication Framework (UAF), a password-less protocol for mobile devices only, and new features as well. Its name arises from it being made available on the web via a JavaScript API specification, named Web Authentication (WebAuthn). This API enables servers to register and authenticate users using PKI instead of a password.

WebAuthn is still a work in progress. Nevertheless, WebAuthn is already being adopted by the major web browsers and operating systems. In part, that’s because WebAuthn is backward compatible with U2F.

WebAuthn’s improvements, depending on how it’s implemented, include:

Requiring a user be in an authorized location, as determined by their global positioning system (GPS) location, before they can be logged in. So, for example, if your San Francisco-based employee’s device is reporting she’s trying to log in from Moscow, the system will block her.

The key may also query a metadata service for risk-management decisions on allowing registrations and authentications. For instance, if your employee who works from 9 to 5 in London is trying to log in at 2 in the morning from Dublin, you can set up a rule to block them.

WebAuthn can also use platform authenticators, e.g. built-in cryptographic hardware such as a PC’s Trusted Platform Module (TPM) or a smartphone’s contactless payment Secure Element to more quickly generate and protect private keys.

Finally, WebAuthn can also be paired to work with smart cards, SIM cards, or USB-based cryptographic hardware using HID mobile access or Bluetooth Low Energy (BLE) to connect them. This increases the number of ways you can use WebAuthn in the real world. For example, you could use it to unlock an HID secured door.

Out with the old, bad security, in with the new, good security

There are two points to all these changes. The first is to get rid of logins and passwords once and for all. It’s more than past time. Over four out of five security breaches aren’t because of some fancy hacker sneaking into a system while wearing a black catsuit with a USB stick full of tricks. No, in 81% of cases, it’s because of bad passwords.

The other is to make 2FA easy enough to use that people will finally leave passwords in the past. With the rise of U2F and WebAuth in smartphones, that day is finally almost here. Before, people and companies were reluctant to buy Yubikeys and the like. Today, with almost everyone having a smartphone, there’s no need for any extra expense.

For this to happen, however, U2F and WebAuthn must be more widely adopted. In a way, it’s a chicken and the egg problem. I believe, however, that as these 2FA technologies are already being more widely adopted and cheaper than ever, the day has finally come when 2FA will start to finally become the accepted way we all securely and safely log into our systems and services.