Users of a FIDO U2F Security Key can activate all their online accounts with the same security key providing the account supports the U2F Protocol. Initial set up can vary from service to service (Google, Facebook, Gmail, Dropbox, Github, Salesforce) but once configured, the next steps are the same and no different than prior to the new added layer of security. You simply login with your standard credentials, insert your FIDO U2F Security key into an available USB drive, and an indicator light on the physical key will flash signaling you that you only need to touch a button on the key to access your account online. Using FIDO U2F Security Keys as a process looks like this:
- The FIDO U2F Security key applies asymmetric cryptography or the ability to generate a software keypair. A keypair is a combination of a public software key that encrypts data and a private software key that decrypts data - protecting online accounts from unauthorized access or use. The private key is securely stored on the FIDO U2F Security key, and never shared, while the public key gets registered with the service and residers on their server.
- In registering your FIDO U2F Security key with an online service, the key sends an encrypted public key and an accompanying ‘key handle’ (an identifier of a specific public key on the FIDO U2F security key plugged into a USB drive), to the online service where it resides on their server. The public key and key handle are used to verify the authentication request from the FIDO U2F Security key whenever it is placed in a USB drive and a login is attempted. With set up complete, a user can log into their chosen service online using their credentials recognized by the site as usual and going forward.
- Assuming the standard login credentials are valid, the user now logs in with the FIDO U2F Security key inserted in an available USB drive. After validated routine login the online service initiates U2F authentication by sending the originated key handle identifier back to the FIDO U2F Security key plugged into the USB drive via the browser.
- The FIDO U2F Security key receives the key handle from the online service and uses it to identify the matching private key encrypted in it. Once the matching private key is identified, the FIDO U2F Security key creates a digital signature which is sent back through the browser to the online service to verify its presence. The very next instant the FIDO U2F Security key flashes a green indicator light signaling a ‘match pairing’ of encryption and decryption is recognized by the online service, authentication has been achieved, and you have access to your account with that service. The user presses a button on the FIDO U2F security key to finalize the connection and access to the account.
(This is a detailed walkthrough of what transpires in the blink of an eye)
The FIDO U2F Security key works immediately upon registration with the service, due to native support for operating systems and browsers, enabling instant authentication going forward. Entering or rewriting any codes, installing any drivers, memorizing or any additional applications is not required in using the key.. FIDO U2F security keys can't be cloned, as the private data on the key can't be extracted. Most FIDO U2F security keys aren't Bluetooth enabled, thus no maintenance or batteries are required.
If a FIDO U2F Security key is lost, so too is the ability to login to the services and apps that were originally configured and secured with the lost key. For this reason it’s prudent to register multiple hardware keys, with one or two serving as a back-up measure ensuring you can still login into your accounts (with one of registered back-up keys). Note different online services provide different solutions for key recovery so check with your online service about their security key recovery protocol. Having said this, the economical cost of FEITIAN ePass FIDO® Series Security Keys make keeping a few back-up keys nearby as the sensible and time efficient route to go in managing the risk of a potentially lost key.