Google Determines that FIDO U2F Keys Improve Security

Google researchers publish a study based on two-years of Security Keys usage and determine that improved security, reliability and lower costs are the result.

In a new two-year research study, Google researchers have concluded that the use of the FIDO Alliances' Universal 2nd Factor (U2F) standard, as part of the Google Security Keys initiative, has had positive security results. The new study comes as FIDO is preparing to update its standards for 2017.

Google first embraced the FIDO Alliances' Universal 2nd Factor (U2F) technology in an initiative to help improve user security back in 2014. The Fast IDentity Online Alliance (FIDO) Alliance first got started in 2013 as a group dedicated to the advancement and development of standards for strong authentication mechanisms.

The U2F standard is implemented in a physical USB security key device that is plugged into a user's system, providing a second factor for authentication. Christiaan Brand, Product Manager for Security and Identity at Google, explained that the U2F support applies to all Google apps, but it is limited to browsers supporting FIDO U2F, of which Google Chrome is one. Brand added that Google has also internally deployed Security Keys, based on FIDO U2F, to all Google employees. There are a number of different vendors that sell FIDO U2F compliant security keys including Yubico. Brand noted that there is a mix of different FIDO U2F devices deployed at Google.

"Security Keys are mandatory at Google," Brand told eWEEK. "They provide superior protection against phishing not possible with many alternative two factor authentication solutions."

According to Google's research based on its deployment experience with U2F, not only has security been improved, but so too has operational efficiency. U2F is an alternative to other forms of two factor authentication (2FA) including One Time Passwords (OTP)via SMS phone messages. Google's research found that the use of Security Keys reduced the time needed for authentication by nearly two-thirds.

"Since an authentication executes in milliseconds, virtually all of this time savings directly benefits users, which may account for the overwhelmingly positive reaction," Google's researchers wrote in a blog post.

Additionally, Google's research found that with OTP based authentication there was an average failure rate of three percent. In contrast, with the U2F Security Key approach, Google experienced zero authentication failures. The improved efficiency of using Security Keys instead of OTP is estimated by Google's support organization to have saved the company thousands of hours per year.

For consumers, Google offers a 2-Step Verification (2-SV) system called Google Authenticator, to help provide additional security for user accounts.

"While any 2-SV mechanism is better than having only a password on your account, FIDO U2F provides strong authentication that's resistant to many forms of advanced phishing attacks that traditional 2-SV doesn't protect against," Brand said. "It also provides for a much better user experience."

Brand added that Google will be launching an enterprise solution in the first quarter of 2017 specifically aimed at helping enterprises adopt Security Keys.

Google isn't the only company that supports FIDO U2F at this point. Brett McDowell, executive director of the FIDO Alliance, told eWEEK that Google was the first company to launch FIDO authentication in compliance with the FIDO U2F specification, but there have been many more deployments of the technology since then.

"There is now a rapidly growing list of service providers operating FIDO U2F compliant services including GOV.UK Verify, Dropbox, Github, Salesforce, Dashlane, Bitbucket, GitLab, Sentry, Compose, PushCoin and FastMail," McDowell said.

The FIDO specifications are continuing to evolve with the updated U2F 1.1 and UAF 1.1 (Universal Authentication Framework) standards set to be published on Thursday, December 8. McDowell explained that both FIDO UAF 1.1 and FIDO U2F 1.1 add several enhancements including an updated attestation format support, Application Protocol Data Unit (APDU) framing for smart card authenticators and new error codes. FIDO U2F will benefit from Bluetooth Low Energy (BLE) and updated Near Field Communication (NFC) transport capabilities.

FIDO is also set to work on new specifications in 2017.

"With these new specifications, we are collaborating with key industry partners to add new features and optimizations designed to bring enhanced FIDO authentication capabilities to web, desktop and mobile platforms," McDowell said. "So ultimately, we will see accelerated adoption by device manufacturers, service providers and enterprises alike."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.