Unlocked padlock with key in it

Beyond two-factor: How to use U2F to improve app security

Remember the good old days before two-factor authentication, when using  just a username and password was considered secure? Actually, it never was.  Before teenager Julian Assange broke into the Pentagon, even before the Internet spread all over the world, people were compromising systems using brute-force password attacks. And the TV hacker Mr. Robot breaks into most people's accounts using social engineering against his targets.

The use of 2FA was supposed to remedy that, but the approach turns out to have its own vulnerabilities, which hackers have exploited, and getting around those challenges can be expensive. Fortunately, there's another alternative to 2-factor authentication: Universal 2nd Factor, or U2F, is an open source approach that might be just what application developers need.

TechBeacon App Security Buyer's Guide and Sample RFP

The problem with two-factor authentication

Before moving to the challenges of 2FA, it's important to set the table by reviewing the baseline challenges with single-factor authentication. As the increase in breaches against major service providers such as Adobe,  Twitter, Linkedin and Yahoo shows, the use of only passwords and security questions leaves users wide open to hackers. 

One big problem with passwords is the fact that users reuse them. Hackers know this, so once they steal an authentication credential for one compromised account, they will attempt to use it to break into the victim's other services. Users also choose weak passwords, which leaves them open to hackers using Crunch in Kali Linux or other readily available password cracking tools.

But if single-factor authentication is unsafe, 2FA implementations have their own limitations. For example, when your 2-factor authentication relies on a verification code sent through an SMS text message, crooks can break it by using social engineering or compromising the user's phone. Using smartphones as a second authentication factor also presents other risks, such as the need to protect the application logic from malware.

Another challenge for implementing two-factor authentication is the price tag. Companies such as Google or Facebook that have billions of users can't implement expensive or complex solutions, such as providing every user with a unique token or smart card for its service, because this would be too expensive. So how can you implement 2FA cost effectively? Consider Universal 2nd Factor, or U2F.

How U2F works 

The U2F open authentication standard, created by Google and Yubico, lets users securely and instantly access multiple online services using a single device, without requiring the use of special device drivers or client software.  With U2F, you can use 1 token for authenticating to many services. 

U2F requires that the user use a key token device and a browser that supports the U2F standard. The key device functions as a security token that lets the user login to multiple online services that support U2F, including custom-made applications. Both Chrome and Firefox currently support U2F.

Under the hood: The U2F standard protocol

Yubico describes U2F as "a challenge-response protocol extended with phishing and MitM [man-in-the-middle attack] protection, application-specific keys, device cloning detection and device attestation." The protocol's controls protect against well-known attacks as well as potential new ones. And it uses asymmetric cryptography, also called public-key cryptography, in which a private key resides within a Yubikey device. There are also controls in place within the browser client that enable control of the challenge, handle, and application ID.

Source: Yubico, Inc.

How to implement U2F on your website

Allowing your website's visitors to use two-factor authentication with 2UF is relatively easy, and Yubico provides developer guidelines. You have 3 alternatives, but the easiest path is to use the Yubico U2F Validation Server (u2fval) ,which provides U2F registration and authentication through a simple JSON-based REST API, so you won't have to change too much application code. There's also out-of-the-box support for content management systems, with plug-ins for popular platforms such as Wordpress. All code is open source, and available on Github.

How to review a 2UF implementation with u2fval

The easiest way to adopt 2-factor authentication with 2UF is by using the Yubico U2F Validation Server (u2fval). Installation is easy if you are developing the system in Linux or  for the Mac OS. You just use this pip command: sudo pip install u2fvalYou can also use other install commands with Python or Github.

Configurations are simple to adapt, but the server does require a database. You also must configure each client and how it is authenticated. Unfortunately, that's beyond the scope of u2fval, so you'll need to implement it independently.


Potential security issues with U2F

Since the U2F two-factor authentication protocol depends on verification at the browser client level, potential attacks could come from security vulnerabilities residing within the browser itself. So U2F's security depends on how well Google, Mozilla, and others apply the protocol in their browsers. 

Furthermore, if you're using the U2F Validation Server, keep in  mind that the REST API calls require strong validation controls at the server level. You could suffer server-side attacks if the API validation is not securely developed and verified. Also, since U2F relies on a database, all access through the config file /etc/yubico/u2fval/u2fval.conf should be restricted. And since there is an option to deploy u2val server on Apache servers using mod_wsgi, monitoring of future vulnerabilities in Apache is essential to protect against future attacks.

Since authentication is completely in the hands of the developer, I recommend proceeding with caution. Security mistakes in the authentication of clients will result in a  poor implementation of U2F.

The future of 2UF

The 2UF 2-factor authentication protocol is built with very strong security in mind, and it has a very promising future in spreading two-factor authentication among services such as Gmail, Github and Facebook. Nonetheless organizations that want to adopt it will need to first have a secure software development lifecycle in place.

A successful implementation depends on how well you program and integrate the other required components. This includes the way in which you authenticate clients, and set up access to the database. Pursuing a secure DevOps approach, and following OWASP guidelines can help you create ironclad applications and protect against future authentication attacks.

TechBeacon App Security Buyer's Guide and Sample RFP
Topics: App DevMobileSecurity