Two-factor authentication is easy, with JaCarta U2F as an example

    Today we’ll talk about the U2F standard developed by the FIDO Alliance, of which we are a member , and the electronic key of our own development, JaCarta U2F , and, of course, show some examples of its use.

    What does a person think about after hearing the mention of words like two-factor authentication, an electronic key, a USB token, a smart card? A person who is far from immersed in information security technology may remember one-time SMS passwords for entering the bank, and someone will think about public key infrastructures, certificates, and trust chains.

    Meanwhile, the U2F protocol developed by the FIDO alliance is gaining popularity among Internet companies and shows that two-factor authentication is not only safe, but easy and simple, and most importantly it is clear to the end user, a non-technical specialist.

    True, there is a minus, in contrast to centralized enterprise use, this same end user must take care of strengthening authentication to his favorite services and acquire such a token for himself , and services, in turn, must support U2F in advance.

    There are already quite a lot of such services, and their list is constantly expanding. At first, the U2F standard was supported by Google (gmail, youtube, etc), Dropbox, Github. Now joined Facebook, Salesforce, Bitbucket, Dashlane and other services and companies. U2F received a great development in the cryptocurrency environment on various crypto exchanges and crypto-wallets, for example Bitfinex, Coinbase and others. We will talk about this separately later.

    Hacking accounts on social networks, mail and other services is not news, it is always unpleasant, and often associated with financial or reputational losses, and, as a rule, hacked accounts are protected only by a simple, maybe not simple, but still one password, without second authentication factor. The popularization of the second factor, in principle, and U2F in particular, leads to an increase in the general level of computer literacy and security.

    If the service itself has not yet added the ability to bind the U2F key as an authenticator, it may be possible to do this through two-factor authentication providers, for example, duo security, and access can be configured not only in web-applications. Strictly speaking, such cloud platforms use not only U2F as authenticators, and their capabilities are much wider. But we could not miss this opportunity in our review article.

    We have provided another way to integrate U2F in our JaCarta Authentication Server (JAS) authentication server . Embedding is done by configuring the server and adding the necessary code to the site, access to which must be protected.

    Setting and use examples


    As an example of a resource where U2F support has already been implemented, take Google as the most popular.

    And for an example of authentication using a cloud-based authentication provider, duo.com service and a website on the WordPress platform.

    Google



    1. Sign in to your Google Account.
    2. Go to the account settings page by clicking on the "My Account" button in the upper right corner of the page.


    3. Go to the Security and Login section.


    4. In the "Password and Account Login Method" section, click on the "Two-step authentication" link.


    5. Click on the “Proceed with setup” button and follow the instructions.
    6. During the setup process, uncheck the "Trusted computer" box. Otherwise, the token will not be used when entering the account.


    7. Go to the “Tokens” tab and click on the “Add hardware token” button.


    8. Connect the token to the USB port and wait until the indicator light on the token body lights up continuously.
    9. Press the “Register” button, after which the indicator light will blink.
    10. Press the button on the token body.
    11. Token registration is complete.


    Now check the input.

    To log in to your Google account profile using JaCarta U2F:

    1. Connect JaCarta U2F to your computer and go to https://www.google.com .
    2. In the upper right part of the page, click on the Login button.


      A page appears with the following form.


    3. Enter your email address and click Next.

      The following form will be displayed.


    4. Enter the password for your account and click Sign In.

      The following page is displayed.


    5. Uncheck Remember on this computer.

      If you leave the Remember on this computer checkbox selected, the two-factor authentication mode for accessing the account on this computer will be disabled. To enter, you only need to enter the user password.
    6. Press the button on the JaCarta U2F.

      Logging in to your Google Account Profile.


    WordPress Website Authentication Using Duo.com Cloud Authentication Provider


    To protect any application or protocol using the DUO platform tools, you must choose what to protect in the platform itself and associate the platform with the protected application.

    Add a Duo plugin from the Web site, for this, in the Plugins menu in the search, find Duo-Two-Factor Authentication and click Install. After installation, click Activate.


    From the platform side, go to the Applications menu and select Protect an Application.


    In the search menu that appears, type in WordPress and click Protect this Application.


    3 key fields are displayed, Integration Key, Secret Key and Hostname API.




    The values ​​of these fields must be transferred to the corresponding fields of the plugin on the Web site.


    This completes the configuration of the Web site with the DUO platform. Next, authenticate with the password on the Web site where the Duo platform was previously linked.


    An installed and configured Duo plugin will offer to set up account protection. Click Start Setup.


    Choose U2F-token.


    Connect the JaCarta U2F to the USB port and follow the instructions.


    Upon completion, you will be taken to the admin part of the site, having authenticated using JaCarta U2F.

    The services themselves usually have their own instructions for configuring U2F, and they are quite simple to find, here are some examples.

    Facebook

    GitHub

    Dropbox

    Google

    In conclusion, here are a few frequently asked questions and answers to them.

    How to access the resource if the U2F key is lost? It's quite simple, there is a backup method for two-factor authentication in the form of code via SMS or email. And after entering the account, you can break the connection with the lost key and set up a new one.

    How many resources can be added to 1 key? Almost limitless.

    What platforms does U2F use?A device with any operating system, with a browser that supports U2F (currently Google Chrome version 38 and higher, Opera version 40 and higher FireFox via a special plug-in), and a free USB port.

    Also popular now: