How U2F security keys work
This is the sixth post in a mini-series about security, to mark an upcoming security upgrade to our login and authentication system. All new changes will be launching on Monday, 25th July 2016.
In yesterday's post, we looked at how TOTP works to produce secure time-limited authentication codes. Today we're going to look at another method you will be able to use as part of two-step verification with FastMail: U2F. We'll explore how it works from a technical side, and its strengths and weaknesses.
U2F (Universal 2nd Factor) is a new standard that aims to make super-strong two-step verification simple. To use it, you need to purchase a dedicated security key. These are small devices that plug into the USB port on your computer. Because it's an open standard, you can get a key from a number of manufacturers, with the cheapest only around $10. Our recommendation is to get any of the YubiKeys as they are slim, sturdily built and easy to use; prices start at $18 and they are available from Yubico or Amazon. The YubiKeys look like this:
Image of a YubiKey 4 courtesy of Yubico.
Using a U2F security key is simple. You just plug it into your computer when prompted and press the button on the top if your key has one.
There are no drivers to install, and unlike TOTP you don't have to manually type in any codes.
Behind the scenes, strong cryptography is keeping you safe. It's a bit complicated, but it goes something like this (here I'm describing how YubiKeys implement it; there are slight variations in other keys, but all are broadly similar)…
When you first add the key to your account, your key generates a random number, which is called a nonce. It uses a secure hash function (remember those?!) to mix this with the domain of the website you are on (e.g.
www.fastmail.com) and a secret key, which never leaves the device, to generate a unique private key for your account. (For the crypto nerds, this time we're using HMAC-SHA256 – a newer and more secure hash function than with TOTP).
From this unique private key, the device works out a public key and a secure checksum (yep, this also uses HMAC-SHA256), which it sends to the server along with the nonce. The private key never leaves the device. Here's a diagram of it all in practice:
Image courtesy of Yubico.
Logging in is simple for you: when prompted you just plug the key in and press the button. Under the hood though, there's a lot going on!
- Our server generates a challenge - another random number. Your browser passes this to your security key, along with the nonce and checksum given to the server on registration.
- The security key applies the same process it used during registration to generate the same private key for your account, and then uses the checksum to confirm that the nonce really did come from the device originally.
- The device now signs the challenge from the server with the private key using something called elliptic curve cryptography (ECDSA with curve secp256r1 for the crypto-heads!) and sends this back to the server.
- The server verifies the signature using the public key that the device sent during registration. If it validates, you're in!
Strengths and weaknesses
U2F brings many security benefits over TOTP. Probably the biggest one is surprisingly simple. Remember that the domain of the website is involved with generating the key for your account? Well, this means that if you accidentally end up on a phishing site, your device will generate a different key (and the checksum will fail), so there is nothing the attacker can do to get a useful code – your account is completely safe.
Beyond this, because you have a dedicated and hardened security device, even if your computer gets infected with malware the attackers still won't be able to steal the secret key inside it. In fact, most keys require you to physically press the button on top to activate them, so an attacker can't use it remotely at all, even if you leave it plugged in.
The use of private-public key cryptography means that even if an attacker somehow managed to steal your public key from our server, they still wouldn't be able to use this to sign the challenge and log in. Learning the public key doesn't help the attacker deduce the private key they need. The challenge-response mechanism means we can stop time-delay and replay attacks: the signature from the security key is strictly single use, and you can't generate it in advance.
U2F also protects your privacy. Because all the server knows is a random number and a checksum, there's nothing that identifies the key uniquely. You can use the same U2F device for an account at another website (e.g. Google) and there is no way anyone could know these were the same device, even if they had access to both the Google and FastMail databases.
So it sounds wonderful, what's the catch?! Well, of course there are always tradeoffs. The biggest one right now is that Google Chrome is the only major browser that supports U2F. Because it requires browser support to act as an intermediary between the website and the security key, you can only use it if the browser supports it. The good news is that Mozilla are working on adding support to Firefox. Mobile is also an issue, as they don't have USB ports! Some YubiKeys support U2F via wireless NFC, but support for this in mobile phones is very limited at the moment.
Another downside is that it costs money to buy a dedicated security key. Not a lot, and we think it's a very worthwhile investment to keep your online presence secure, but it's not free like TOTP (presuming you already own a phone). It's also one more thing to carry around (and try not to lose!). The security keys are small and light (they look great on your keyring), but we recommend you register at least two, or have TOTP or a backup phone number as well; you don't want to be locked out of your account if you lose it!
Stay tuned for tomorrow's post explaining how Yubico OTP security keys work.
Got any security questions or recommendations? Tweet us @FastMail using the hashtag #securitymatters.