Security Keys: Practical Cryptographic Second Factors for the Modern Web | SpringerLink
Skip to main content

Security Keys: Practical Cryptographic Second Factors for the Modern Web

  • Conference paper
  • First Online:
Financial Cryptography and Data Security (FC 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9603))

Included in the following conference series:

Abstract

“Security Keys” are second-factor devices that protect users against phishing and man-in-the-middle attacks. Users carry a single device and can self-register it with any online service that supports the protocol. The devices are simple to implement and deploy, simple to use, privacy preserving, and secure against strong attackers. We have shipped support for Security Keys in the Chrome web browser and in Google’s online services. We show that Security Keys lead to both an increased level of security and user satisfaction by analyzing a two year deployment which began within Google and has extended to our consumer-facing web applications. The Security Key design has been standardized by the FIDO Alliance, an organization with more than 250 member companies spanning the industry. Currently, Security Keys have been deployed by Google, Dropbox, and GitHub. An updated and extended tech report is available at https://github.com/google/u2f-ref-code/docs/SecurityKeys_TechReport.pdf.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    This is just an example, the real bad.com may not be malicious.

  2. 2.

    This is just an example, the real bamk.com may not be malicious.

  3. 3.

    http://smile.amazon.com/s/ref=sr_kk_1?rh=k:u2f.

References

  1. Fallows, J.: Hacked! The Atlantic. November 2011

    Google Scholar 

  2. Honan, M.: How Apple and Amazon Security Flaws Led to My Epic Hacking. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/, Acces-sed 31 Dec 2014

  3. Wikipedia: 2014 celebrity photo hack – wikipedia, the free encyclopedia. http://en.wikipedia.org/w/index.php?title=2014_celebrity_photo_hack&oldid=640287871, Accessed 31 Dec 2014

  4. Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy. May 2012

    Google Scholar 

  5. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy. May 2012

    Google Scholar 

  6. Herley, C., Oorschot, P.C., Patrick, A.S.: Passwords: if we’re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03549-4_14

    Chapter  Google Scholar 

  7. Google Inc: Google 2-Step Verification (2015). https://support.google.com/accounts/answer/180744

  8. Bank of America: SafePass Online Banking Security Enhancements (2015). https://www.bankofamerica.com/privacy/online-mobile-banking-privacy/safepass.go

  9. Railton, J.S., Kleemola, K.: London Calling: Two-Factor Authentication Phishing From Iran (2015). https://citizenlab.org/2015/08/iran_two_factor_phishing/

  10. Harbach, M., Fahl, S., Rieger, M., Smith, M.: On the acceptance of privacy-preserving authentication technology: the curious case of national identity cards. In: Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 245–264. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39077-7_13

    Chapter  Google Scholar 

  11. Unknown: Estonia takes the plunge: A national identity scheme goes global (2014). http://www.economist.com/news/international/21605923-national-identity-scheme-goes-global-estonia-takes-plunge

  12. Shah, N.: Strengthening 2-Step Verification with Security Key (2014). https://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-verification-with.html

  13. Heim, P., Patel, J.: Introducing U2F support for secure authentication (2015). https://blogs.dropbox.com/dropbox/2015/08/u2f-security-keys/

  14. Toews, B.: GitHub supports Universal 2nd Factor authentication (2015). https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication

  15. Fast IDentity Online (FIDO): (2015). https://fidoalliance.org/

  16. Biddle, R., Chiasson, S., Van Oorschot, P.: Graphical passwords: learning from the first twelve years. ACM Comput. Surv. 44(4), 19:1–19:41 (2012)

    Article  MATH  Google Scholar 

  17. Jain, A.K., Flynn, P., Ross, A.A.: Handbook of Biometrics, 1st edn. Springer, New York (2010)

    Google Scholar 

  18. Parno, B., Kuo, C., Perrig, A.: Phoolproof phishing prevention. In: Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006). doi:10.1007/11889663_1

    Chapter  Google Scholar 

  19. Toopher Inc.: Toopher - 2 Factor Authentication (2012). http://toopher.com

  20. Oracle: Java Card Technology (2014). http://www.oracle.com/technetwork/java/embedded/javacard/overview/index.html

  21. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol, Version 1.2. http://tools.ietf.org/html/rfc5246, August 2008

  22. Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings SOUPS 2006, pp. 44–55. ACM Press (2006)

    Google Scholar 

  23. Fontana, J.: Stolen passwords re-used to attack Best Buy accounts (2012). http://www.zdnet.com/stolen-passwords-re-used-to-attack-best-buy-accounts-7000000741/

  24. Aircrack: Aircrack-ng Homepage (2015). http://www.aircrack-ng.org/doku.php

  25. Butler, E.: Firesheep (2010). http://codebutler.com/firesheep

  26. Ewen, M.: The NSA Files (2015). http://www.theguardian.com/us-news/the-nsa-files

  27. The Register: Microsoft Outlook PENETRATED by Chinese ‘man-in-the-middle’ (2015). http://www.theregister.co.uk/2015/01/19/microsoft_outlook_hit_by_mitm_attack_says_china_great_fire_org/

  28. Adkins, H.: An update on attempted man-in-the-middle attacks. http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html, August 2011

  29. Rizzo, J., Duong, T.: BEAST. http://vnhacker.blogspot.com/2011/09/beast.html, September 2011

  30. AlFardan, N.J., Paterson, K.G.: Lucky Thirteen: Breaking the TLS and DTLS Record Protocols (2013). http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

  31. Dietz, M., Czeskis, A., Balfanz, D., Wallach, D.S.: Origin-bound certificates: a fresh approach to strong client authentication for the web. In: Proceedings of the 21st USENIX Conference on Security Symposium. Security 2012, Berkeley, CA, USA, USENIX Association (2012). 16–16

    Google Scholar 

  32. Popov, A., Balfanz, D., Nystroem, M., Langley, A.: The Token Binding Protocol Version 1.0 (2015). https://tools.ietf.org/html/draft-ietf-tokbind-protocol

  33. Nilsson, D.: Yubico’s Take On U2F Key Wrapping. https://www.yubico.com/2014/11/yubicos-u2f-key-wrapping/. Accessed 6 Jan 2016

  34. Barnes, R.: Intent to implement and ship: FIDO U2F API (2015). https://groups.google.com/forum/#!msg/mozilla.dev.platform/IVGEJnQW3Uo/Eu5tvyLmCgAJ

  35. Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 132–145. ACM, New York (2004)

    Google Scholar 

  36. Brickell, E., Li, J.: Enhanced privacy ID: a direct anonymous attestation scheme with enhanced revocation capabilities. In: Proceedings of the 2007 ACM Workshop on Privacy in Electronic Society, WPES 2007, pp. 21–30. ACM, New York (2007)

    Google Scholar 

  37. Bichsel, P., Camenisch, J., Groß, T., Shoup, V.: Anonymous credentials on a standard Java Card. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 600–610. ACM (2009)

    Google Scholar 

Download references

Acknowledgements

Listing all of the people who have contributed to the design, implementation, and evaluation of Security Keys is virtually impossible. We would like to thank the anonymous reviewers, along with the following individuals: Arnar Birgisson, Frank Cusack, Jakob Ehrensvärd, Kenny Franks, Iulia Ion, Benjamin Kalman, Kyle Levy, Brett McDowell, Dan Montgomery, Ratan Nalumasu, Rodrigo Paiva, Nishit Shah, Matt Spear, Jayini Trivedi, Mike Tsao, Mayank Upadhyay, and many Google teams (UX, QA, Legal).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Juan Lang .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2017 International Financial Cryptography Association

About this paper

Cite this paper

Lang, J., Czeskis, A., Balfanz, D., Schilder, M., Srinivas, S. (2017). Security Keys: Practical Cryptographic Second Factors for the Modern Web. In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-54970-4_25

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-54969-8

  • Online ISBN: 978-3-662-54970-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics