U2F is an authentication standard that lets users securely access their online accounts instantly with a security key and basically makes your site fully protected from phishing – no drivers or client software needed. You just register a physical device with the online service that supports the protocol. It was created by Google and Yubico and now it’s hosted by the FIDO Alliance.
Basically, U2F security keys are physical USB keys that look like a flash drive. You can only access your account by tapping the key while it’s plugged in. As an end user, it feels like a dedicated device for 2-Factor Authentication. Instead of using your phone and the Authenticator app, you carry around a physical key.
2-Factor Authentication Benefits
U2F Security Keys protect from various types of hacks and attacks: session hijacking, man-in-the-middle, malware attacks, and most notably phishing (a site or email that mimics a legitimate account with the purpose of tricking you into sharing your credentials).
Think you would never fall victim to a phishing attempt. Think you’re too smart for that? According to this report, ninety-seven percent of consumers were unable to correctly identify phishing emails. Ninety-seven percent?
With a Physical key, like the YubiKey, your login information can’t be taken by a copycat login screen because it only works on registered sites. The authentication will fail on fake sites even if you’re fooled into thinking it’s real.
This greatly mitigates against the increasing volume and sophistication of phishing attacks and stops account takeovers.
U2F Security Keys Functionalities
Once you set up your Security Key the only thing you need to do is to plug it into your computer (or tap the phone!) and press a button.
For this post, I don’t want to get lost in the technical details but at a high level, Security Keys support two commands which are provided to web pages as browser APIs:
Registration – Your Security Key generates a fresh asymmetric key pair and returns the public key. The server associates this public key with your physical key and user account. Authentication – When you go to log in, your Security Key will test for the USB stick and your physical presence. If verified, the private key is sent to unlock your account.
U2F and WordPress Security
Seeing as this was an experiment and I am not super technical I wasn’t ready to attack manual set up. I searched for a free plugin option on WordPress.org. The search ended pretty fast. There’s currently not a lot of options or information for WordPress so I went with the most popular free option, Two-Factor.
Now armed with my brand new key and the plugin I thought, “this shouldn’t be too hard”. So, how do you use U2F and physical security keys with WordPress?
- Go to Users -> your Profile page
- Scroll down. You will see some new features. Under account management, there should be Two-factor options available now.
- Enable FIDO U2F and set as primary
- Scroll down to Security Keys and press the Register New Key button
- Plug in your FIDO U2F security key and tap the circle button on it
- Wait for the page to refresh and click Update Profile
Looks easy enough. But I kept getting stuck at step fifth step. These instructions start with the assumption your key is registered.
It’s not complicated, but it had me tripped up. So here is my “noobs guide” to U2F setup for WordPress:
- Once you have your key in hand the first step is to register with Google
- To setup U2F on WordPress, you must be logged in as an administrator
- Use a browser with U2F support (Google Chrome is recommended. Make sure you have the latest version.)
- U2F requires an HTTPS connection
- You can’t add new security keys over HTTP
How Much Is That?
While it’s fairly easy to implement there were some drawbacks.
This level of security is not free and providing security keys to everyone that needs access to your site could be costly – especially for large teams. Keys vary in price from $20 to $50. Plus, it’s recommended you keep a backup key for each of your users just in case their key is lost, damaged or stolen. If you run a team of 10 that would require 20 keys. Cha-ching.
If cost is not prohibitive, the next challenge is that security keys are still not widely adopted. While usage has increased setting-up security keys for other systems can be a painful and lengthy process. The good news is that things are improving and setting up security keys on Google, Facebook or Twitter is fairly straightforward.
Another thing to consider for teams or development agencies is management. Keys create a more complicated employee and client onboarding process. It also means finding a point person for setup and recovery. Hello middle managers.
Probably the most obvious hurdle, you can’t access your site without the security key. This is good for your site’s security but could be bad for convenience. Let’s say you just arrived at work and realized you left your key at home. You can’t call somebody to dictate a one-time password – because, there is no spoon password! This could mean a few more hours of driving, which would negate all the extra seconds you have “stolen away” by using U2F over OTP in a single day.
Lastly, Handing out security keys to your WordPress clients could, obviously, be a potential problem. So, why not just roll with One-Time Passcodes (OTP) or 2FA on my phone? These are valid options, but there are some disadvantages.
U2F vs OTP’s
One-Time Passcodes (OTP) are short numeric codes that are one-time use and are sent via text messages or generated on a separate physical device. While they are more secure than ordinary passwords, OTP’s aren’t perfect:
- They are vulnerable to phishing and man-in-the-middle attacks
- You have to carry around a dongle per each website/password
- SMS messages can be intercepted
In short, it’s not a 100% protection plan. While it offers another layer of security, if someone phishes access to your email or messages account they can still gain access to your (or your clients) WordPress back-end with an OTP code.
2FA vs Mobile Devices
If you’re using a 2FA app on your smartphone like Google Authenticator, you might be asking this question. Short answer: nothing is wrong with 2FA, in fact, it offers a great layer of security if set up properly. This can be made stronger with things like disabling the OTP option – less convenient but more secure.
2FA is more flexible, but if you leave recovery options in the name of convenience it may leave you with a false sense of security.
Benefits of U2F security keys have over Smartphones: Protecting application logic from malware is difficult on a general purpose computing platform. A phone might not be reachable in the situations when the battery runs off or when there is no service. Unlike most Smartphones, YubiKeys are water resistant and will allow you to kiss in the rain
Physical Security Keys
For most WordPress users, Defenders 2FA with Google Authenticator on your phone is more than enough. Dedicated security keys offer dedicated protection against phishing and man-in-the-middle attacks and are arguably faster and easier to use once you set them up and get used to them, but let’s face it, ordinary Joe probably doesn’t really need a YubiKey.
That said, if you’re running an agency with multiple administrators on high profile client sites it may be time to consider physical keys for your team.
Google’s own U2F case study showed, that on top of becoming a “no-phishing zone”, they also noticed accelerated employee productivity, reduced support compared to phone authentication, and even lower cost of ownership.
The benefits of the physical keys multiply with the number of employees/clients using keys and with the number of daily sessions each user commences.