2

FIDO U2F seems much more secure than one-time-passwords (OTP), especially TOTP, because of the challenge-response architecture. In what ways is a U2F user still vulnerable?

I presume if a user's computer is compromised or the user loses their U2F dongle then all bets are off, right? But phishing no longer works? (I'm not an aspiring hacker, just a guy trying to understand a technology.)

EDIT: There's a related question about U2F linked to in the comments. That question asks how secure U2F is. I'm wondering specifically about vulnerabilities not fixed by U2F.

Thanks.

Jeff
  • 123
  • 5
  • 7
    related: http://security.stackexchange.com/questions/71316/how-secure-are-the-fido-u2f-tokens – lepe Sep 01 '15 at 00:34

3 Answers3

6

In my opinion U2F lacks one thing at the moment: The privacy of your secret key.

Each device comes with it's own secret key. A site specific key is derived from this secret key to do the challenge response when logging in to a site. This is ment to keep you anonymous and easily register and authenticate at a site.

But! Each U2F device that is sold nowadays comes with a initialized not changeable secret key. Thus you need to trust the vendors, which created this secret key.

I would like to have a U2F device, where the user can create his own secret key! As long as this is not available, this is the biggest drawback. My opinion.

Edit on February 25th, 2017

This was true for Yubikeys and Plugup devices and many other diveces OEMed from these. In fact there are nowadays devices/vendors, that claim to really create and not derivce the key pairs for the registration. (I have not tested and verified this, yet.

cornelinux
  • 2,023
  • 8
  • 11
  • Interesting point. Even if you could specify a private key though, how would you know that the U2F device will always actually use the key you set? Seems like a hostile U2F device manufacturer could compromise your security even without getting to pick the private key – Jeff Sep 02 '15 at 01:53
  • Yes. If you have a hostile device vendor, then you really have a problem. But more likely than a hostile device vendor is a sloppy device vendor, which keeps record of which device was sent to which customer. And then gets hacked and all these information is lost to the cracker. Just like it happend with RSA SecurID some years ago. This is why I do not trust preseeded devices. – cornelinux Sep 02 '15 at 05:48
  • With RSA tokens, the key is symmetric and must be held by the authenticating entity. With U2F, the attestation signing currently is modeled on signing where the device gives the creator its public certificate. The private key can be generated on-device and never read. See http://forum.yubico.com/viewtopic.php?f=33&t=1666 – Jeff Ferland Sep 02 '15 at 15:45
  • Thanks for pointing to this thread. Also reading https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-overview.html#verifying-that-a-u2f-device-is-genuine it might be technically possible to create my own symmetric master. To my understanding there is no private key except the attestation key (same for all device of one vender) stored on the device. But it is due to a specification in chapter 8 that it is not "allowed" to create the master key on my own - since there would be no guarantee by the end user, that the master key was created on the device. – cornelinux Sep 03 '15 at 15:04
3

I presume if a user's computer is compromised or the user loses their U2F dongle then all bets are off, right? But phishing no longer works?

The documentation I'm making statements in regards to this comes from the Protocol Design + User Flows document at https://sites.google.com/site/oauthgoog/gnubby

Malware on a machine can generate fake origin messages and acquire resultant replies from the device. Anti-malware is specifically labeled as out of scope for U2F design.

As with any 2 factor device in the something you have category, losing control of the device is a sign that it should be disabled.

Now, with those caveats in mind, phishing is protected against because the requesting software passes an origin identifier to the U2F device. That means g00gle.com can't acquire your 2nd factor credentials for google.com because you clicked a link in your email.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
-2

In general 2 factor authentication is required in very senstive applications like military and highly sensitive financial transaction. Note that many home banking applications don't use 2 factor anymore.

2 factor versus TOTP is a trade off of risk threat against countermeasure cost.

BTW - most of the answers to your questions are here https://www.yubico.com/applications/fido/

As they say It is recommended that users register at least two U2F devices with every service provider, which may optionally also provide the user with a backup code should a U2F device be misplaced.

So now you have 2 dongles at $18/pop. It's not a consumer solution at those prices.

HTH

Danny Lieberman
  • 388
  • 2
  • 6