Fingerprint FIDO2 Key (1)
FIDO key (9)
If a man-in-the-middle (MITM) tries to intermediate between the user and the origin during the authentication process, FIDO2/U2F protocol can detect it in most situations. Suppose that the user has correctly registered a U2F device with an origin. MITM on a different origin server tries to intermediate the authentication. In this case, the user’s FIDO2/U2F device won’t even respond, since the MITM’s (different) origin name such as server host name will not match the Key Handle that the MITM is relaying from the actual origin.
Security-conscious users will know the term “two-factor authentication.” In addition to the information (password, etc.) that only the user knows, the one-time password that arrives at the smartphone is also confirmed and authenticated. However, there are cyber attacks that break through this two-factor authentication. “Phishing sites that break through two-factor authentication for online banks appeared around the end of 2018 and have increased rapidly since September 2019”
- Send a phishing email pretending to be a bank to the victim by email or short message (SMS), such as “Please complete the procedure for updating security”.
- When the victim visits the link in the email, they are directed to a fake site that looks like the correct banking site at first glance.
- If you try to log in with 2 factor authentication, the data will be sent through the fake site to the correct site. The criminal can log in and can access to the victim’s information to transfer money to his account.
With eSecu keys, user login is bound to the origin, meaning authentication will fail on a fake site since it has no prior credentials set up to authenticate. eSecu FIDO2/U2F key will never make response against challenge and send back it to the server, unless the key verify the login site is truly a login website, not a fake site pretending to be genuine one. It means that FIDO2/U2F authentication cannot be phished.
Even FIDO U2F methods have a variety of 2 factor and their security levels of
- Code-based U2F
- Push-based U2F
- Software-based U2F
are almost the same. However, they are less secure than Hardware based U2F.
Code-based authenticators use codes sent via SMS or via a TOTP-based phone app like Google Authenticator. While the push-based authentication use to show the estimated location of the user in order to protect phishing, but users do not pay attention on that information. There are software-based U2F, which emulates a hardware U2F HID device and performs cryptographic software operations on OS.
Hardware-based U2F run outside our computer with web browser, whereas software-based U2F use hardware only to store its keys in the secure TPM memory in our computer. We could image the situation that malware runs on our computer, which comes through e-mails. Malware can access our browser’s cookies and has full access to all authenticated website sessions, but not to external hardware and not to hardware storage. In such a situation, hardware-based U2F is only compromised while the malware is running on our computer. On the other hand, software-based U2F could continue to be compromised, even after the malware has been removed.
It is clear that hardware-based U2F is more secure than software-based U2F. However, it is difficult to tell how much secure. If the price of hardware key is low, people prefer to use hardware solution. As a best practice, we recommend using physical security keys because hardware-based U2F exist separately from a user’s laptop or workstation. This way, even if a malware manages to gain access to a user’s computer, the user’s second factor isn’t also compromised.
The key works in addition to your password, not as a replacement for it. If someone steals the key, they still can’t get into your account without knowing your password. The administrators can log in with a backup method, remove the stolen key from your account and issue a new key.
When administrators set up your security key, they are recommended to also set up backup methods a member can use in case he lose his key. These include an authenticator app that lives on phone of the administrator or the member. The administrators can also prepare more than one key to each member’s account, and keep the backup in a safe place.
The use of 2 or more authentication factors to prove one’s identity is based on the premise that an unauthorized criminals are unlikely to be able to supply the factors required for access. The authentication factors of a multi-factor authentication scheme may include
1) Something the user has such as key,
2) Something the user knows such as password,
3) Something the user is such as biometrics, and
4) Somewhere the user is such as specific PC.
Currently, there are two types of 2 factor authentication method as
1) 2 step authentication consisting of password and 2nd factor such as Google account
2) FIDO2 authentication consisting of key and biometrics such as Microsoft account
eSecu FIDO2/U2F key uses password and key, while eSecu FIDO2 fingerprint key uses key and biometrics.
FIDO2/U2F key has a shared Attestation key pair inside from the beginning. The key pair is shared across a large number of U2F device units made by ExcelSecu. Every public key output by the U2F device during the registration step is signed with the attestation private key so that the server can verify the genuineness of the FIDO2/U2F key. When such an infrastructure is available, the server accepts only U2F devices from certain vendors by use of attestation certificate.
Typical 2 factor authentication other than FIDO is OTP authentication, which may employ USB hardware token key. One Time Password (OTP) authentications look quite secure because they use hardware to generate OTP. OTP are generated using the Hashed Message Authentication Code (HMAC) algorithm and a moving factor, such as time-based information (TOTP) or an event counter (HOTP). OTPs have minute or second timestamps for greater security. OTPs are delivered to a user through several channels, including an SMS-based text message, an email or a dedicated application on the endpoint. The authentication server can generate the same OTP by himself so that the delivered OTP can be verified by the server.SMS message spoofing and man-in-the-middle (MITM) attacks can be used to break 2 factor authentication systems that rely on one-time passwords. Therefore, OTP can be used with secure delivery method.
The authentication server, the browser on Platform (PCs), and FIDO2/U2F security key work on secure login to cloud service. The server sends a random number at each time through the browser to the key. The key sends back a signature of data including the received random number through the browser to the server. The server verifies the signature by use of cryptography. Since the returned signature can be made only by the designated key so that no one can steal the credential data on the way. In addition, eSecu FIDO2/U2F key contains the security chip to protect storage and dedicated cryptography operation so that it is impossible to steal credential data from the key. The security chip is a special IC which are used in all security products such as smart cards.
FIDO/U2F Key (11)
Yes, eSecu FIDO2/U2F key is a second factor that you use in addition to your password.
You’ll need it every time you log in to a NEW machine. You can decide whether to make sites to ask you for the security key every time you log in to a known machine, or to trust it after first use.
eSecu FIDO2/U2F keys must be registered on PC over USB, because Chrome browser only support that style of registration. The administrator in organization must prepare FIDO2/U2F keys and Google accounts for each member. He/she enters into Google accounts of each member with his/her password and register the key to Google account. Each key is handed to each member for login.
All members of enterprise must login to Cloud services by 2 step login authentication at office and at home. Individuals also use it to strengthen security of password login. eSecu FIDO2 keys protect you against impostor websites that try to steal login credentials to sensitive accounts like your email. Other forms of two-factor authentication (including text messages, authenticator apps, and push notifications) do not give you the same level of protection as a security key.
FD202 has USB and wireless NFC connection.
FD202 (NFC) can sign in from Chrome browser on Android Smartphone over NFC.
FD202 (NFC) can sign in from Chrome browser on PC over USB. There are 2 ways to sign in to cloud services. A single key is used to sign in a Google account for all 2 ways on 2 different types of platforms.
Note that the registration must be done on PC over USB.
FD203 (NFC/BLE) can sign in from Safari browser on iPhone over BLE.
FD203 (NFC/BLE) can sign in from Chrome browser on Android Smartphone over NFC.
FD202 (NFC/BLE) can sign in from Chrome browser on PC over USB.
There are 3 ways to sign in to cloud services. A single key is used to sign in a Google account for all 3 ways on 3 different types of platforms.
Note that the registration is done on PC over USB.
The applications support FIDO® U2F, including but not limited to: Google, Facebook, Dropbox, GitHub, Dashlane, DUO, StrongAuth etc.
Each member in organization can add multiple FIDO2/U2F keys for a single account. In addition, a single FIDO2/U2F key covers multiple accounts. Therefore, multiple members can manage their own account by using a single shared key. The administrators can keep a backup key of multiple member accounts in a safe place. However, each account has each own password so that each member should manage his/her own account by himself/herself. To share accounts with other members are not recommended.
A eSecu FIDO2/U2F key is a small physical device that looks like a USB drive, and works in addition to your password on supported web browsers such as Google Chrome, Microsoft Edge and etc. to login to cloud services. Cloud authentication server authenticates the user by communicating with the key. . You can carry the key on a keychain like a regular key.
FIDO2/U2F key works based on WebAuthn and CTAP1, while FIDO2 Fingerprint key works based on WebAuthn and CTAP2. Both keys can be used in 2 step authentication for login to Cloud services on Web browsers such as Google Chrome and Microsoft Edge and etc. FIDO2 Fingerprint key can verify himself by use of features of human body so that it works as 2 factor authentication (have a key and biometrics) without password.