Logging In With A USB Key (U2F Explained)
Techquickie
·Techquickie
·2019-05-06
·
970 words · ~4 min read
0:00
Thanks for watching tech wiki click the subscribe button then enable notifications with the bell icon so you won't miss any future videos
0:06
Have you ever heard? Oh, well, sorry my account got hacked as an excuse for an incredibly inappropriate
0:14
post on social media
0:15
Well for me, it's kind of becoming the modern equivalent to the dog ate my homework
0:21
Especially because so many major web services offer two-factor authentication
0:26
to keep intruders out of your account a feature that asks for something else in addition to your password
0:33
Typically one of those six-digit codes from an authenticator app on your phone
0:38
So you can learn all about how those work up here
0:40
But what if you're tired of punching in that string of numbers whenever you log in well
0:46
Then you might be interested in a physical security key using the universal two-factor or u2f standard
0:54
You see instead of a code that
0:55
Changes every 30 seconds u2f relies on a small
1:00
Physical chip on a little gadget that looks a bit like a USB flash drive that you can keep on your keychain
1:06
Or in some kind of safe location
1:09
Typically all you need to do to set one up is tell whichever service you're using that you have a u2f key then
1:16
Inserted into a free USB port some of them even support NFC
1:20
So you can use them with your Android smartphone and iOS users very recently got support for u2f
1:26
Devices over NFC with the UB key neo if you're using an iPhone 7 or newer
1:31
So after you insert or tap your key a number of things happen in the background
1:36
The key will randomly generate a public and private key pair with the private key
1:42
Never leaving the physical u2f key and the public key will get sent to a server
1:47
Your key will also send the random number that it picked to generate these keys originally called a nonce as well as a checksum that serves to a server.
1:54
As well as a checksum that serves to a server.
1:55
As well as a checksum that serves to a server.
1:56
To identify that specific physical key
1:59
Then when it's time to come back later and log in you enter your username and password
2:04
Like you normally would and the server will send you that same nonce and checksum back to your u2f key
2:11
along with a different number your physical key will then use the nonce and checksum from the server to
2:18
regenerate the private key and since each physical u2f key uses a different secret for key generation
2:24
Only the original key you used to register will work
2:29
Your u2f key then signs the number that was sent to it with the private key and the result is sent to the server
2:36
Which then unlocks it with your public key from your u2f key to allow you to access it
2:42
It sounds complicated
2:44
But all of this happens without any intervention from the user other than simply plugging in a USB stick and the benefits are
2:52
definitely worthwhile because it also
2:54
protects against phishing attacks
2:57
Numeric authentication codes are definitely way better than having no two-factor protection at all
3:02
But they can still be stolen if you accidentally enter them on an imposter website
3:08
u2f helps to stop this by using the original domain of the site as part of the
3:14
Secret sauce it uses to generate the private key for that account
3:18
So if you use your physical key to log in to an attackers website the response it will
3:24
Send to that hostile server will be completely useless and the bad guys
3:29
won't be able to use it to get into your account and
3:32
The companies that make u2f keys have added their own additional security features on top of this base
3:39
public key encryption strategy the ever popular YubiKey for example requires you to touch a sensor on the USB stick
3:47
Before it authenticates ensuring that there's an actual human trying to gain access and not some kind of malware box
3:55
With all of that said as great as this kind of physical security can be
3:59
You still need to make sure you don't do anything dumb like drop your keychain in a shady part of town which
4:10
Racing against the clock as a freelancer. Well, it's challenging but thanks to the growth of the internet
4:14
There's never been more opportunities for the self-employed and to meet this need fresh books created their cloud accounting software
4:21
Designed for the way you work fresh books is the simplest and easiest way to be more productive more organized and perhaps
4:28
Most importantly get paid faster. You can create and send professional-looking invoices in less than 30 seconds
4:34
You can set up online payments with just a couple of clicks and get paid up to four days faster
4:38
You can see when your client has seen your invoice and put an end to the guessing games
4:42
And they've got fully featured apps for both Android and iOS
4:46
So you can take the fresh books experience with you on the go. They're offering a 30-day unrestricted free trial to our viewers
4:52
So to claim it go to fresh books comm slash tech wiki and enter Techquickie in the how did you hear about us section?
4:58
We'll have that linked below
4:59
so thanks for watching guys dislike or like check out other channels leave a comment with video suggestions and
5:06
What was he gonna say?
5:09
You guys I know what I was gonna say not you. I meant the viewer was supposed to guess subscribe
5:14
You know what forget it. I quit