Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

U2F and TOTP for two-factor authentication

U2F and TOTP for two-factor authentication 

Unfortunately, in the excitement of highlighting promising new technologies, the authors miss two crucial points: Biometrics are not a magic bullet, and replacing passwords should not be the goal.

Biometrics is a promising field and research should continue, but biometric authentication is a poor choice for applications that must authenticate users across a network. Authenticating a user with biometrics involves an analog to digital translation. Each time a fingerprint is captured, the data is slightly different. The same applies to facial recognition, retina scanners, iris imaging, and brainwaves.

Biometric authentication systems must compare the captured data to a known sample and determine if it matches closely enough. In a network scenario, the comparison could be performed on the user’s local PC, in which case the PC is relegated to sending some other type of secret to the remote server. Or, the biometric data could be sent across the network, in which case the remote server has no assurance that the data came from a real fingerprint reader in the first place. Biometrics make sense for local authentication and physical access controls, but they are a poor choice for authentication across the Internet.

Replacing passwords doesn’t make sense. While password re-use and compromise are serious problems, passwords provide an inexpensive, easily-changed authentication factor. The discussion should focus on encouraging people to use better passwords, determining if passwords are sufficient, and selecting an appropriate second authentication factor when stronger controls are required.

Many proprietary authentication systems exist today, but from a practical perspective developers should consider two open-source second-factor authentication schemes: Time-based One-time Password (TOTP) and FIDO Alliance Universal 2nd Factor (U2F).

TOTP has been adopted by the Internet Engineering Task Force and is described in RFC 6238. It calculates a one-time password from a shared secret and the current time. Dropbox, Google, Lastpass, Microsoft, Sophos, and many others have adopted TOTP. In addition to being an open, easy-to-implement standard, costs remain low due to the availability of free software clients for most operating systems including iOS and Android. To simplify enrollment, most TOTP systems help the user quickly import the shared key by presenting it as a QR code.

While TOTP requires a separate shared secret for each system, the ability to maintain multiple TOTP credentials in a single smartphone application avoids the expense and inconvenience of carrying multiple physical authentication tokens. To complete the TOPT authentication, the user simply selects the correct service from their application and types the displayed 6-digit code into their web browser or other application. This approach makes TOTP hardware independent and usually relies on a mobile device that users already carry.

U2F was developed primarily by Yubico and Google. Yubico, founded in 2007, has focused on easy-to-use secure authentication. They offer a line of USB-based hardware authentication devices. Their basic models offer either the company’s own Yubikey one-time password (OTP) authentication or U2F, depending on the product chosen. Their most advanced product perform Yubikey OTP, U2F, OATH, and offer NFC support for use with compatible smartphones. They also provides PIV compliant smart card functionality. Yubico offers devices in two form factors: a keyring size USB device and a mini-USB device that can be left in a USB port.

U2F is intended for use only with web browsers. At the time of writing, only the Chrome browser supports U2F, but an effort to add support to Firefox is underway and Microsoft has announced plans to support U2F in Windows 10. While browser compatibility may be an issue for some developers at this time, U2F offers two compelling security advantages: ease of use and unlimited scalability.

The U2F user experience is excellent. When prompted, the user inserts their U2F USB device and taps a ring on it that acts as a button. (Users with the mini-USB version already inserted simply tap the edge of the device, which protrudes about 2mm from the USB port.) Private keys used to authenticate to the remote system never leave the U2F device, and the user must physically touch the device for authentication to occur. In other words, physical possession of the U2F device is required to complete the authentication. To date, most services allow multiple U2F devices to be enrolled. Users can therefore easily have a backup key available.

A single U2F device can be used to authenticate to an unlimited number of websites. This scalability alone sets U2F apart from other authentication systems. A user could authenticate to every web site they visit using a single U2F device on their keychain. Since U2F is intended as a second factor, some sites (including Google) offer the option of setting a cookie so that U2F authentication is only required every 30 days when access is made from the same browser.

TOTP and U2F both have strengths and weaknesses. However, both are based on open standards and are inexpensive to implement. Developers should strongly consider implementing U2F and TOTP in their applications to enable two-factor authentication across various use cases.

Have a security question you’d like answered in a future column? Email

Related posts