Before we dive into the FIDO Certified Key-ID Security Key and how it's used, let's get a handle on what authentication online means at the moment.
Authentication is simply the process of identifying a user based on a set of unique factors, most commonly a user name and password.
All authentication factors fall into one of 3 categories:
- Something you know - Knowledge factors are passwords, PIN codes, security questions. These are the general methods of online user authentication.
- Something you have - Ownership factors are something the user owns/has in their possession. This could be a physical key, ID Card, security token)
- Something you are - Inherence factors are something that a user is or does. This is something like a fingerprint, retinal scan, voice pattern recognition or even a DNA sequence.
The simplest form of authentication is the single factor kind, which simply uses ONE of the above factors to verify an identity. Think of this as an email account/password combination (Simply a "something you know" factor). This is the weakest way of securing an identity online as it relies on a single thing that can be pretty easily compromised (if someone obtained that password, you would have lost security to that account as well as any other account that relies on that password).
A step up from Single Factor is Multi Factor Authentication (MFA). This is when TWO or more of the above factors are used together to verify someone's identity. Think of this as a Bank Card/PIN code combination ("Something you have" and "something you know"). MFA has based on the premise that an unauthorised person is unlikely to be able to supply BOTH factors, even if one becomes compromised. For example, they can get your bank card but not your PIN or vice-versa). Companies have moved toward using Mobile Phone MFA to strengthen online security nowadays (Requiring a unique text message code when logging into an online service or transferring money online).
To strengthen MFA even further, Strong Authentication Factors were defined (these are used extremely similarly to MFA methods). The big difference is that the security of the first and second factor are mutually independent of each other and at least one of those factors is non-reusable and non-replicable. A great example of this is an authenticator application like Google Authenticator for Android.
There is a much deeper and more interesting conversation to be had if you want to delve into how cryptography relies upon "keys" (both public and private) to encrypt data back and forth between parties. It's a pretty interesting thing to learn about, although you will probably never actually use it in practice. As consumers, most of us are really just concerned with being secure, not knowing how it works. But hey, if you want a simple, fun and quick breakdown of the basic idea behind public/private cryptography, check out this quick little animation. Bear in mind, this is not how FIDO U2F works, this is just basic cryptography.
Enough of that for now though, let's get into the FIDO USB Key. FIDO? What are we talking about here? The FIDO (Fast IDentity Online) Alliance is a non-profit organisation that develops open, scalable standards that enable simple, secure strong user authentication across multiple web services. Essentially these guys are striving to spread their Universal Authentication Framework (UAF) & Universal 2 Factor (U2F) protocol around the world. The mission of the FIDO alliance is to change the nature of online strong authentication by:
1. Developing a set of technical specifications that define open, scalable and interoperable mechanisms that remove the inherent reliance on alphanumeric passwords online.
2. Creating these specifications and submitting them to recognised organisations so that they can be developed into standards, in order to ensure their worldwide adoption.
There are 2 Frameworks that are included under the FIDO architecture which cater to two basic user experiences with online services.
The FIDO UAF enables existing online services such as facebook/google etc to transparently leverage the native security features of end user hardware to increase the strength of user authentication. And if that sounds like something paraphrased out of a technical guide to UAF, that's because it was. What it means is that online services, such as your online banking software, your google account or even your social media website can create systems that use the local hardware of your device to verify your identity online as authenticators. This could include a fingerprint scanner (most smart phones have these nowadays), entering a PIN code, or even a voice identification program. Essentially, UAF enables online users to stay safe and secure without needing to remember separate passwords for every online account they use.
U2F is a bit of a different story and the one we are going to be interested in in this article. Essentially, FIDO is trying to combine the different methods of 2 Factor authentication as a complete, strong and open framework to be used across all platforms.
There are a few different ways of getting to this "secure" endpoint, as these are just guidelines. So multiple companies are able to use these standards and provide products or software that adhere to the standards. The particular slice of the pie we are focusing on is USB Keys, and the key we are looking at in this article is the Key-ID FIDO U2F USB Security Key.
What is it?
Essentially, this little USB key is a completely private, secure USB device that you connect to your local PC. It doesn't do anything at all at first, it doesn't require additional drivers or plug ins or anything special. However, when you navigate to any website's two-factor authentication setup page that supports U2F (Google for example), you can opt to use your USB security key for your two-factor authentication. Note that while Chrome and Opera web browsers both automatically detect and use U2F devices, you'll need to check the compatibility of other browsers.
Now, there is a big difference between basic public/private key encryption (explained roughly in the above video) and how FIDO is implementing their U2F standard. Essentially, rather than each party having a key that can decode the others message, "the private key" is encrypted using a hardware based encryption from your key and sent to the original URL to be stored there, the only way to decrypt that private key is by using the hardware based "Master Secret" to let the server know that you are you. And you do that simply by pressing the button on your USB device when prompted.
To register your key to your account you just press the button when prompted. And that's pretty much it. Now every time you log in to that account on that same origin domain, you will be prompted to press your USB Key's button to provide authentication that it is you signing in.
Right from the start, you can see how this really tightens up personal security online. Now even if someone knows your user name password (Something you know), they require your own unique USB key (Something you have) to be able to login to your account. Additionally, you can setup different methods of two-factor authentication, meaning that you can have your mobile phone setup as text message TFA, as well as email TFA and your USB device. That way logging in to that same account on a device without USB support like a mobile phone or something won't have you locked out of your account with nowhere to go.
If you happen to lose your key, you can navigate to the same page within your account settings to remove it from your account, which essentially makes the device useless. Interestingly, there is no limit to a number of accounts you can link to a USB key either, due to the way it operates.
This little Key-ID USB Security Key from Adafruit is incredibly easy to use with compatible online services (DropBox, GitHub, Google, Facebook and about 40 other online services already onboard). Its size is perfect to add to your car-key chain and guarantees that you have far more security online. In short, the Key-ID USB Key is a nifty little device that removes the need for text-based verification when you are working away at your workstation at home or work, but the backstory behind is just plain cool.