Standards


Back to Resources

FIDO U2F


Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices.

U2F enables Internet users to securely access any number of online services, with one single device, instantly and with no drivers or client software needed. The technical specifications were launched in late 2014, including native support in Google Accounts and Chrome, and have since resulted in a thriving ecosystem of hardware, software and service providers.

Read the Gluu Server FIDO U2F docs.

U2F Advantages

Strong security — Strong two-factor authentication, using public key crypto and with native support in the browser (starting with Chrome). Protects against phishing, session hijacking, man-in-the-middle (MITM), and malware attacks.

Easy to use — Works out-of-the-box, enabling instant authentication to any number of services. No codes to re-type and no drivers to install.

High privacy — Allows users to choose, own and control their secure online identity. Each user can also choose to have multiple identities, including anonymous (no personal information associated with the identity). A U2F device generates a new pair of keys for every service, the public key is only stored on the specific service it connects to. With this approach no secrets are shared among service providers, and even low-cost U2F devices can support any number of services.

Multiple choices — Designed for existing phones and computers, for many authentication modalities (keychain devices, mobile phone, fingerprint reader, etc.) and with different communication methods (USB, NFC, Bluetooth).

Interoperable — Open standard backed by leading internet and financial services, including Google, Bank of America and 250 companies in the FIDO Alliance. U2F allows every service provider to be their own identity provider, or optionally let users authenticate through a federated service provider.

Cost-efficient — Service providers do not have to take the cost and support of secure distribution of U2F devices. Users can choose from a range of low-cost devices from multiple vendors, available at Amazon and other retail stores worldwide. Yubico offers free and open source server software for back-end integration.

Electronic identity —  For services requiring a higher level of identity assurance, services are being developed, both online and in the physical world, for tying your U2F device to your real identity.

Secure recovery — It is recommended that users register at least two U2F devices with every service provider, which may optionally also provide the user with a backup code should a U2F device be misplaced.

Read the Gluu Server FIDO U2F docs.

How it Works

This diagram explains the basic process flow of U2F:

U2F Process Flow

U2F Support in the Gluu Server

The Gluu Server supports the U2F authentication standard out-of-the-box. Once you have deployed a Gluu Server, you can enable U2F authentication as the default authentication mechanism, or you can simply expose it as an option that applications can request using the OpenID Connect acr value. Learn how to use U2F in the Gluu Server in our U2F docs.

The above content about U2F was borrowed heavily from Yubico.

Get News and Product Updates