Why did I buy a FIDO2 Key?

Today, with the robustness and maturity of the FIDO2 standard, what can a FIDO2 key bring?

Updated: at 10:03 PM

U2F and FIDO2

U2F (Universal 2nd Factor). Initially developed by Yubico and Google, later managed by the FIDO Alliance and renamed CTAP1 after the release of FIDO2. The application area of U2F is to provide second-factor authentication for accounts. Typically, the second-factor authentication commonly seen in our lives is mainly composed of one-time SMS/email verification codes and verification codes generated based on the Time-based One-time Password (TOTP) algorithm. Such verification methods highly depend on the security of the software environment. If the information containing the verification code is "phished" in some way, then this last line of defense protecting the security of the account will be rendered ineffective. U2F achieves higher security than purely software-based second-factor authentication through hardware and asymmetric encryption technology. The unique private key is stored offline in the hardware device, and most U2F devices have a tactile operation in their hardware design to ensure that it is the user who is operating.

Nowadays, the FIDO Alliance has released three standards:

  • FIDO U2F
  • FIDO UAF
  • CTAP

The latest version of CTAP2 supports passwordless login, second-factor authentication, or multi-factor authentication using user's authenticators.

Meanwhile, FIDO2 is actually composed of the CTAP protocol and the W3C's WebAuthn standard. Together, they build and accomplish the experience of passwordless login and second-factor authentication using authenticators (software or hardware keys) only.

Why did I buy it?

I had the idea of purchasing a Yubikey a long time ago, but it remained just an idea, and I never put it into practice. It wasn't until I went abroad that I happened to think about acquiring some tech items that I had considered buying in China but never did. Yubikey was one of them, so in February, I placed an order for a Yubikey 5C NFC on Amazon.

Later, I purchased a Google Titan Security Key because its appearance is indeed a bit more attractive than the Yubikey.

The naming convention indicates that this is the fifth-generation product of Yubikey, with the letter "C" indicating it has a USB-C interface and supports NFC. Nowadays, most electronic devices use or are compatible with USB-C interfaces, especially many ultrabooks. My Mac and iPad are no exception. Additionally, since my iPhone does not yet support the USB-C interface, the NFC compatibility of Yubikey comes in handy.

Advantages

The main advantages of purchasing a FIDO2 key lie in quickly and securely verifying your identity, whether it's for passwordless login or two/multi-factor authentication.

In addition to convenient login, this authentication method effectively prevents phishing attacks from stealing your account. Because during the login process, you don't need to enter a password, and phishing websites cannot know that you're logging in using a key. They cannot verify your signature data, and furthermore, your operating system and browser also do not allow a unfamiliar URL to request the signature data stored on your device from other URLs. Therefore, attackers cannot steal your account at all.

As a result, you can confidently and securely log in to the services you want to access on trusted or unfamiliar public or temporary devices.

From this

The login page requesting the user's password.

To this

The login page requesting the user to insert the security key.

Compared to verification codes

Here, verification codes include but are not limited to SMS codes, email codes, and codes generated based on specific algorithms (e.g., TOTP).

However, the main issues with these types of verification codes are either inconvenience or, as mentioned earlier, they are not as secure compared to solutions based on hardware and asymmetric cryptography technology.

The inconvenience mainly arises from the need to operate a second device or other software.

But it must be acknowledged that some systems already support automatic filling of SMS and email verification codes. When you add a TOTP key to the iOS Keychain, for instance, it can even automatically fill in TOTP-based codes for you.

Compared to using an app to confirm login

Confirming login on an app refers to the process where, during login, you need to click a button within the app to confirm that it's indeed you who is logging in. More advanced methods, like those used by Microsoft accounts, involve receiving a random number. In Outlook or Microsoft Authenticator, for instance, you need to select the correct number to ensure it's you logging in. However, the issues are quite evident: you need to operate software on a second device to prove your identity. From my personal experience, trying to quickly open Outlook for verification on an iPhone Xr in 2024 is somewhat challenging. Additionally, I'm not fond of having to use my phone to complete tasks while using a computer. So, this verification method isn't something I prefer.

Compared to Passkey

The correct spelling is passkey, just like password.

I want to say that passkey is a great solution. However, passkey support from mainstream operating systems is still in its early stages.

For example, on Apple devices, you need the latest versions of iOS and macOS to possibly use passkey to log into your account. Otherwise, you can only use FIDO2 hardware keys.

Windows is the same. If you're still using Windows 10, you can only use FIDO2 hardware keys when invoking WebAuthn.

In Android, this seems to be addressed by Google Password Manager. But I don't have an Android device, so I can't test it. And if you can't use Google in your region, you can't use it happily :-(

In Linux, only Chromium-based browsers seem to have good passkey support, at least Chrome does. Firefox has poor support in this regard.

However, there is a unified solution. Some password managers now support saving passkey keys and compensate for the lack of passkey support on different operating systems through corresponding browser extensions. But there's a problem in the Android camp again. If you try to use a third-party password manager to save passkey, you need to ensure that your AOSP version is at least Android 14, as versions below Android 14 do not provide support for third-party password managers for passkey functionality.

So?

So, after all those comparisons, what I want to say is that hardware keys can address the drawbacks I mentioned earlier.

FIDO2, combined with the WebAuthn API, can perfectly accomplish passwordless and two-factor authentication, which is beyond doubt. Moreover, for slightly older system versions, hardware FIDO2 keys are the best choice.

Nowadays, more and more online services and apps are quickly adapting to passkey. Whether it's your Apple, Google, or Microsoft account, or services like Amazon, GitHub, Roblox, or even PlayStation, they all support passwordless login with passkey. Since passkey is based on FIDO, theoretically, a FIDO2 hardware key will also perfectly support these online services and apps, allowing you to log in easily and securely without worrying about the operating system version and environment—simply by inserting the key or using NFC.

Hardware keys sometimes bring additional benefits. Although they theoretically adhere to the same standard, the WebAuthn API allows developers to choose their preferred authentication methods. In other words, it's possible that some services can only be verified using FIDO2 hardware keys, usually due to security considerations.

Whatelse?

The mentioned Yubikey 5C NFC, in addition to supporting the FIDO2 protocol, also supports the following protocols:

  • FIDO U2F
  • Yubico OTP
  • OATH-TOTP
  • OATH-HOTP
  • Smart card (PIV)
  • OpenPGP

On the other hand, the mentioned Google Titan Security Key only supports FIDO2, including FIDO U2F.

Written by:
Jimmy
Keywords:
FIDO2, Yubikey, WebAuthn, FIDO Physical Key

Other Languages

  • 我为什么买了 FIDO2 物理密钥?

    Updated: at 04:04 AM

    在 FIDO2 标准茁壮和成熟的今天,一个物理密钥能带来什么?