Authentication through FIDO U2F & UAF

Hello guys, I am creating this thread as a spin-off of my original thread “Behavioral Biometric with SAFE
I can see that @happybeing mentioned the project November last year (“Authentication: FIDO Support Looks Important”), but I think it is really worth a closer analysis to see what it can bring to MaidSafe’s project.

Lets begin:
FIDO stands for Fast IDentity Online, it is an alliance originally founded by Lenovo, PayPal, Nok Nok Labs, Infineon Technologies, Validity Sensors and Agnitio, the FIDO Alliance now has many more signatories including Google, Microsoft, Bank of America, Goldman Sachs, RSA, Netflix, ARM and MasterCard.

Their mission is to simplify logins while not sacrificing on security.
They are pushing for two standards:

  1. U2F: Universal 2nd Factor.
  2. UAF: Universal Authentication Framework.
    (Specs: FIDO Alliance Specifications Overview - FIDO Alliance)

The main difference is that U2F is a 2-factor authentication while UAF focuses on a passwordless experience based on local authentication (ie. using biometrics)

[quote] From an architecture point of view both protocols operate very similar: users make use a hardware-based key store, the Authenticator, that executes an authentication protocol with a Web server using a browser, or a native application as a relay.
This new authentication and key exchange protocol uses public key cryptography and nonces for authentication of the Authenticator to the Relying Party. Demonstrating possession of the private key via the Authenticator is only useful if the corresponding public key is registered with the server, which happens during an initial registration step. Server-side authentication, via Transport Layer Security (TLS), is essential during this step to ensure that the public key is registered with the intended origin. To avoid privacy problems an Authenticator maintains different public keys with different origins: sharing public keys with different origins allows Relying Parties to correlate transactions.

The Authenticator may be located outside the end device. For example, the Authenticator may be connected to the end host via a USB interface (i.e., the Authenticator is a USB-based token.) or connected to the end host using some radio technology, such as Bluetooth Smart. In other cases, the end host might itself have a trusted execution environment, as it is increasingly common with laptops and smart phones. Standardizing the communication with the Authenticator is only important if users are unwilling to install software for individual Authenticators. For Bluetooth Smartbased devices, however, users today often have to install apps of the vendor and hence it remains to be seen whether this changed user expectation simplies the introduction and deployment of new Authenticators.


The main strength that FIDO offers over typical OTP tokens is that it protects against MITM and MITB attacks.
TOTP tokens (such as Google Authenticator) can be phished out in real time, and such attacks seems to be already happening in the wild as reported by a Google employee (authentication - How secure are the FIDO U2F tokens - Information Security Stack Exchange)

The reason that MITM/MITB attacks are impossible is because the U2F/UAF is an actual challenge-response authentication protocol, based on public-key cryptography based on the device. This by its very nature prevents MITM and replay attacks.

Videos explaining about FIDO:

  1. U2F: FIDO Universal 2nd Factor (U2F) - YouTube
  2. UAF: FIDO Alliance Webinar - Universal Authentication Factor (UAF) - YouTube

Some use cases:

  1. (Yubico’s) U2F + Google: How-To: Log In to Google Accounts with FIDO U2F Security Key - YouTube
  2. (Hypersec’s) U2F + Google:
    - YouTube

Excellent post @piluso.