FIDO U2F uses a token that is an inexpensive stateless, no-power, in-channel, call&response, user managed device for second factor authentication in addition to your password. That's how I understand it:
[1] Stateless means that when you establish U2F credentials at different sites, they know nothing about the other (the U). [2] No-power is about how the token and the site orient with each other, specifically that the token does not support a clock (time window) and is therefore confined to the traditional One Time Pad orientation method of sequence. [3] In-channel is about the tokens communication with the site as using the same path as the one established to access the site. An example of out-of-channel tokens is when a site will SMS a PIN to your phone that is good for a brief period of time. or a temp password for a list that is sent to your email.. [4] Call&response describes how these new tokens are more interactive. Pre U2F yubikeys are understood by your system as an additional keyboard and simply blurt out a encrypted hash when activated. FIDO U2F likely inhales a salt from the site before generating a hash - odds are it is much more complicated, but the point is that the relationship is now duplex where it was once simplex. [5] User managed is about the possessor of the token (you) is the party able to reset the behavior of the token. ie The model of authentication is decentralized. (but not authorization or audit) The strategy is to augment your passwords without tying you to a central authority - easy enough to use, good enough to work and ethical enough not to be evil. I would look at Yubico.com for additional information - they sell a token for not much and have a great Github site. I could be wrong so YMMV. looks like an alternative to me. On Wed, Nov 5, 2014 at 10:10 AM, Yves Dorfsman <[email protected]> wrote: > Anybody understand the strategy behind Universal 2 Factor? > > > https://sites.google.com/site/oauthgoog/gnubby > https://docs.google.com/presentation/d/16mB3Nptab1i4-IlFbn6vfkWYk-ozN6j3-fr7JL8XVyA/edit?pli=1#slide=id.g19c09a112_2_135 > > Is this supposed to be a step forward from software mfa (google authenticator, > authy)? Or an alternative? (feels like a step backwards). > > -- > Yves. > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
