Max Posted October 21, 2014 Report Posted October 21, 2014 FIDO U2F is a new standard for 2 factor authentication USB tokens. https://fidoalliance.org/specifications/download http://googleonlinesecurity.blogspot.nl/2014/10/strengthening-2-step-verification-with.html https://github.com/Yubico/php-u2flib-server Main advantages over OATH/Yubikey: Can use a single token with multiple websites without central authentication servers, because it uses public key cryptography instead of shared secrets. Cheap enough to hand out to customers. Tokens start at $ 5.99 (versus $ 20 for a classical Yubikey): https://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=FIDO%20U2F%20Security%20Key Blesta Addons 1 Quote
Blesta Addons Posted October 21, 2014 Report Posted October 21, 2014 +1 our registrar cctld will use it for the new web authentification . Quote
Paul Posted October 22, 2014 Report Posted October 22, 2014 Looks interesting, so it doesn't need to communicate with a 3rd party service? Quote
Max Posted October 23, 2014 Author Report Posted October 23, 2014 Looks interesting, so it doesn't need to communicate with a 3rd party service? Correct. Uses public key cryptography with separate keys for each site. When the user registers on an u2f capable website the token generates a fresh public/private key pair, and sends the public key to the website, along with a key id. Upon logging in to the website, the user first enters its username and password as normal. The website then sends the key id corresponding to the user and a challenge to the token, and -after the user press the button on the token- the token uses the corresponding private key to sign the challenge. In most implementations the key id is actually not really an id, but actually the entire private key encrypted by the token, so that the token does not need storage space for dozens of keys, just for the key used to encrypt/decrypt the private keys. The u2f standard also has some other clever features like that it restricts keys to a domain, so that if the user was tricked into logging in to a phishing site, the token will not function properly. There are currently some downsides as well. One is that U2F tokens require two way communication and therefore need browser support. Only Google Chrome supports them for now. This is unlike traditional Yubikey tokens which emulate a normal USB keyboard and therefore work with any browser and can be used in other things than browsers as well (e.g. to restrict SSH and VPN access). Quote
rob Posted February 1, 2020 Report Posted February 1, 2020 We need this feature as well as enforced 2FA (for staff) in Blesta. No complaint organization in 2020 doesn't use hardware FIDO. Is there anyway we can sponsor this feature to be created? @Paul Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.