What is a FIDO2 key? How does it work?

A FIDO Security Key, 1 Easy Way to Stay Safe Online

Certified NFT Expert™ is a Certification that aims to cover all known aspects of Non-Fungible Assets existing in the Ethereum Blockchain environment today

Summary

  • FIDO security keys use strong RSA ECC asymmetric encryption
  • Protects the owner/user from phishing attempts
  • The first version of the Google Titan Key was subject to a physical attack.
  • Thought there are cons to security keys, provided protection out weight the risks.

What is a FIDO Security Key?

A FIDO security key, or U2F security key as it is also known, is physical key shaped device that acts as a “digital key” to unlock access to social media accounts, email accounts, even bank accounts. It has a special, un-copyable code that works with your password, PIN, or your fingerprint. Hackers sometimes build fake versions of your favorite websites to steal your passwords, but your security key is too smart for that – it can recognize the real deal. This means even if a hacker manages to steal your password, they still can’t get into your account without your physical key. Using it is easy: it’s a tiny device, kind of like a USB stick you store with your house or car keys. You register it with your important accounts, and when you log in, you simply insert the key and tap it after typing in your password, PIN, or using your fingerprint. It’s an extra layer of protection that makes it way harder for the bad guys to mess with your online stuff.

How Does the Security Key Know it’s Me?

Imagine you have a secret handshake that only you and your best friends know. The FIDO security key uses something similar to make sure it’s really you trying to access your account. This could be a password, PIN, or even your fingerprint. It’s an extra step to ensure that even if someone gets their hands on your U2F security key, they still can’t pretend to be you and access to your online accounts will be denied.

How Does My Security Key Protect Me?

Imagine your FIDO security key as a tiny, ultra-secure vault for your online accounts. It leverages the power of public key cryptography, where it holds a unique private key (e.g. debit card PIN) that never leaves the device and a public key (e.g. debit card number) shared with online accounts. When you register with a website, a matching public key (e.g. debit card number) is stored on the registering website, creating a secure password-less login.

You’ve probably heard about people getting tricked into giving away their passwords through fake websites (phishing). The cool thing about FIDO security keys is they’re smart enough to recognize the real website from a fake one. So, even if you accidentally land on a fake look-alike site, your FIDO security key won’t unlock your account since the fake look-alike site does not have your public key! (e.g. debit card number) How does this happen? Well, when you plug your security key into a USB-A or USB-C port on your computer the legit website will recognize it because it has your “public” key (e.g. debit card number). Remember, if you will, your “public key” is a code your security key automatically give the legit website when you enroll in password-less authentication.

A4C Superstore
Garrett Wade specializes in high quality woodworking, gardening, and home tools.

This key comes in a convenient physical form, typically with both USB-A and USB-C connectors for maximum compatibility across your computers and devices. Inside, strong RSA ECC encryption safeguards your private key, making it impossible to expose.

The beauty of FIDO/U2F keys is their cross-platform nature. They work seamlessly with various operating systems (Windows, macOS, Linux), popular browsers, and devices with support for Near Field Communication (NFC). Both the Google Titan and Yubico Yubikey 5 provide the ability to interface with NFC compatible devices (e.g. Samsung, Google, and Apple phones) just by holding the key up to the phone.

Here’s the bottom line: A FIDO/U2F security key adds a robust layer of protection by combining public key cryptography, certificate attestation, hardware-based encryption, and cross-platform flexibility. It makes phishing attacks significantly harder and provides a strong defense even if your passwords are compromised.

What Are the Cons of Using FIDO Security Keys?

FIDO/U2F security keys offer a robust layer of protection for online accounts, making them incredibly resistant to phishing and other common hacking attacks. However, it’s crucial to acknowledge some potential drawbacks associated with their use. One of the most significant concerns is the risk of losing or damaging the physical key. If misplaced, you could be temporarily locked out of your accounts until you have a replacement key. For this reason, it’s wise to register a backup security key, ensuringseamless access should you lose your primary one. Additionally, although the adoption of FIDO/U2F is expanding, there are still websites and services that don’t yet support hardware-based authentication. This might necessitate the continued use of alternative two-factor authentication methods in certain cases.

Furthermore, FIDO/U2F security keys come at a cost, potentially becoming an obstacle when needing to protect numerous accounts across individuals or organizations. For some users, the physical act of plugging in the key during every login might be perceived as a slight inconvenience compared to password-only or app-based authentication methods. It’s important to also consider compatibility issues. Your chosen security key must have the appropriate connector (e.g., USB-A, USB-C, NFC) for your devices, and older web browsers might not offer full support for FIDO/U2F standards.

One additional area of concern lies in physical attacks against the security key. While extremely difficult, sophisticated attackers with physical access to a key and specialized equipment could attempt to extract the private keys stored on the device. This was demonstrated in a complex attack against the Google Titan Key, highlighting the importance of choosing keys from reputable manufacturers that prioritize secure key storage. Additionally, some theoretical side-channel attacks might be possible, but their practical execution is often challenging.

Another category of vulnerabilities involves firmware and implementation flaws. If a security key has a weak random number generator, it could produce predictable keys, compromising security. Moreover, if the key’s firmware is compromised, it could lead to malicious key extraction or usage. To mitigate this, opt for keys from manufacturers who invest in secure firmware design and regularly provide updates. Additionally, it is up to the user to download firmware updates from the vendor website or through the supplied app that comes with the security key.

Client-side malware poses a risk as it could manipulate the security key. Malware might trick the key into signing authentication requests for fake websites or relay authentication communications between machines. Vigilance against malware, through antivirus software, and careful attention to the website you’re logging into are crucial defenses. It’s worth noting that FIDO2 has mechanisms to mitigate replay attacks, where an attacker tries to reuse previous authentication data.

Despite these drawbacks, it’s essential to remember that the heightened security benefits provided by FIDO2/U2F security keys significantly outweigh the potential downsides for the majority of users. When considering the prevalence of phishing and account takeover attempts, a physical security key vastly improves your online security posture.

Where Can I Buy Security Keys?

There are not many FIDO/U2F security key vendors to choose from. The top vendor two vendors are Google and Yubico, with the Yubikey taking the top spot.

MakerWebsiteApproximate CostSecurity key image
Yubicohttps://www.yubico.com/$25 – $70+Yubico Yubikey FIDO2 U2F security key for password-less authentication using public key cryptography
Opens in a new window yubico.com 
Googlehttps://store.google.com/(search for “Titan Security Key”)$30 – $40Google Titan FIDO2 U2F security key for password-less authentication using public key cryptography
Opens in a new window store.google.com
Kensingtonhttps://www.kensington.com/(search for “VeriMark”)$50 – $70Kensington FingerPrint FIDO2 U2F security key for password-less authentication using public key cryptography
Opens in a new window www.amazon.com
Feitianhttps://www.ftsafe.com/$20 – $50+
Opens in a new window www.ftsafe.com
HyperFIDOhttps://www.hypersecu.com/hyperfido$20 – $30HyperFido FIDO2 U2F security key for password-less authentication using public key cryptography.
Opens in a new window www.amazon.com

Websites Supporting FIDO2, U2F, Password-less Authentication

WebsiteFIDO2 SupportAuthenticator TypesFIDO2 Setup URLSector
Microsoft AccountsYesSecurity Keys, Platform Authenticators, Passkeys(within your account security settings)Technology
Google AccountsYesSecurity Keys, Platform Authenticators, Passkeyshttps://myaccount.google.com/security (within your account security settings)Technology
Apple AccountsYesPlatform Authenticators, Passkeys(within your account security settings)Technology
DropboxYesSecurity Keys, Platform Authenticatorshttps://www.dropbox.com/account/security (within your account security settings)File storage
GitHubYesSecurity Keys, Platform Authenticatorshttps://github.com/settings/security (within your account security settings)Software development
TwitterYesSecurity Keys, Platform Authenticatorshttps://twitter.com/settings/security (within your account security settings)Social media
FacebookYesSecurity Keys, Platform Authenticatorshttps://www.facebook.com/settings?tab=security (within your account security settings)Social media
eBayYesSecurity Keys (Limited support)https://www.ebay.com/ (within your account security settings)E-commerce
OktaYesSecurity Keys, Platform AuthenticatorsSetup likely within the Okta administration or management portalIdentity and access management
CloudflareYesSecurity Keys, Platform Authenticatorshttps://dash.cloudflare.com (within account security, look for “My Profile”)Content delivery network
1PasswordYesSecurity keys, Platform Authenticators(within security settings)Password Management
FastmailYesSecurity Keys(within your account security settings)Email
ProtonMailYesSecurity Keys(within your account security settings)Email
BinanceYesSecurity Keys(within your account security settings)Cryptocurrency Exchange
KrakenYesSecurity Keys(within your account security settings)Cryptocurrency Exchange
Table of Websites Support FISDo2, U2F security keys and password-less authentication.

Revolution Plus: The Ultimate Defense Against Parasites. Shop Now with 12% OFF + Free Shipping
Hotel Collection
Garrett Wade specializes in high quality woodworking, gardening, and home tools.
LEGO Brand Retail