Two factor authentication is pretty standard now. Everything from your Google account to your bank service can send you a text or unlock codes to make sure it’s really you when you sign in from an unfamiliar location. This makes sense, as signing in from across the world is a pretty big indicator that it may not be you making the purchase or logging in. However, like computers, phones too can be hacked and hence this make lead many users to wonder if there is an alternative to increased security. The obvious call is for a device that cannot be hacked.
In this regard, Google advises the use of a security key. These devices are ones which generate a one-time six-digit code which is USB powered and linked to an authenticator app. There are also security keys that work with Bluetooth and NFC, which can be linked to a smartphone or tablet if so desired as well as a laptop. These keys work under the FIDO Universal 2nd Factor (U2F) which was developed by Google, Yubico and NXP semiconductors and is hosted now by FIDO.
The use of U2F is intended to both strengthen and simplify two factor authentication. They are indeed quite easy to use. The first step after buying one is registering it on the website and then logging in. After doing so, plug in the USB and press the key disc on the key itself. By pressing this disc, the login is confirmed by the key transmitting a code which has 44 characters. In all future logins the 12 initial characters remain constant and the final 32 change to become the one time unique passcodes. Authentication to smartphones can be done by pressing the key directly onto the back of the phone.
While U2F is more secure it is not yet widespread. Only Chrome and Opera currently support it and while they amount to more than 66% of all desktop browsing, there is a significant amount of traffic devoted to Firefox and Safari that is unable to work with U2F currently. The amount of websites that can work with U2F is also restricted at the moment. While the big players such as Google, Facebook and Github all work with U2F it’s not yet spread widely enough to all major banks. However, for many people securing their Google and Facebook might be enough call to have U2F since those two sites are what hackers will likely go for first to then target bank accounts via Google Wallet.
As said before, a worry for users is that mobile phones may be hacked and hence a security key would be useful. However, both Google and Facebook have a possible flaw here as if a recovery phone number is set to receive security codes it remains active until disabled. Hence the user must remember to disable the phone backup if they wish to avoid potential issues with the phone being hacked. Thankfully this is easily done in the security settings pages of both Google and Facebook.