If an app generating one-time codes seems a too-flimsy and intangible way to protect your accounts, and you want something more solid and reliable that locks your account with a key that literally goes in your pocket, then look no further than hardware tokens based on the U2F (Universal 2nd Factor) standard, created by the FIDO Alliance.
How FIDO U2F tokens work
U2F hardware tokens are the darling of security specialists, primarily because, from a user perspective, they work very simply. To get started, simply connect the U2F token to your device and register it in a compatible service. The whole process takes just a couple of clicks.
After that, to confirm login to the service, you will need to connect the U2F token to the device from which you are logging in and tap the token button (some devices require a PIN or fingerprint scan, but that’s an extra feature). That’s it — no complex settings, entering long sequences of random characters, or other mumbo-jumbo often associated with the word cryptography.
At the same time, under the hood things are smart and cryptographically sound: When registering a token on a service, a pair of cryptographic keys is created — private and public. The public key is stored on the server, and the private one is stored in a Secure Element chip, which is the heart of the U2F token, and never leaves the device.
The private key is used to encrypt the login confirmation, which is passed to the server and can be decrypted using the public key. If someone pretending to be you tries to transfer a login confirmation encrypted with the wrong private key, then decrypting it with the public key will produce gibberish, and the service will not grant access to the account.
What sorts of U2F devices are there
The most famous and common example of U2F is YubiKey, made by Yubico. The company essentially spearheaded this standard but chose to make it open, for which purpose the FIDO Alliance was created. And because the standard is open, your choice is not restricted: U2F-compatible devices are produced and sold by various companies, and online stores offer a range of different models.
For example, Google recently introduced a suite of authenticators under the banner Google Titan Security Keys. In fact, they are keys produced by Feitian Technologies (the second most popular manufacturer of U2F tokens, after Yubico) for which Google developed its own firmware.
Of course, all hardware authenticators compatible with the U2F standard will work equally well with any service that is also compatible with this standard. However, there are differences, the most important being interfaces supported by the key. This directly determines which devices it can work with:
USB: for connecting to PCs (it doesn’t matter whether they run Windows, Mac, or Linux; the keys work without installing any drivers). In addition to the usual USB-A, there are keys for USB-C.
NFC: required for use with Android smartphones and tablets.
Bluetooth: required on mobile devices that do not have NFC. For example, iPhone owners still need a Bluetooth-based authenticator. Although iOS now allows apps to use NFC (before this year, only Apple Pay was permitted), most U2F-compatible app developers have yet to take advantage of the feature. Bluetooth authenticators have a couple of drawbacks: first, they need to be charged; second, they take much longer to connect.
Basic models of U2F tokens usually support U2F only and cost $10–$20. Other, more expensive devices ($20–$50) can also operate as a smart card, generate one-time passwords (including OATH TOTP and HOTP), generate and store PGP encryption keys, and be used to log into Windows, macOS, Linux, and so on.