U2F is an open authentication standard that provides strong, two-factor authentication using a physical security key. It was developed by Google and Yubico and maintained by the FIDO Alliance. U2F uses public-key cryptography where the key is stored on a physical device rather than in software. This provides stronger security against phishing and man-in-the-middle attacks compared to one-time passwords. U2F keys can be used across multiple websites and support an unlimited number of accounts since each key generates a new key pair per registration.

1. U2F Under the Hood
1

2. What is U2F ?
 Universal 2nd Factor
 Open standard
 Physical device using USB, NFC or Bluetooth
(depends on model)
 Goal: Strong authentication and online privacy
 Initially developed by Google and Yubico
 Maintained by FIDO Alliance
 Draft W3C standard (Web Authentication)
 Support in Chrome (now), FF and Edge (soon)
2

3. Dashlane User Experience
3
Registering an U2F key
 Request to add a key
 Insert key in USB port
 Push button on key (if present)
 Done !

4. Dashlane User Experience
Login with a registered U2F key
4
 Enter 1st authentication factor
 Insert key in USB port
 Push button on key (if present)
 Done !

5. How does it work ?
5

6. Base Challenge – Response protocol
6
FIDO Authenticator
(USB key)
FIDO Client
(Browser or App)
Relying Party
(Website)
challenge
challenge
Sign challenge
with private key
sig(challenge)
sig(challenge)
 Classic Public/Private key challenge-response
 Uses ECC (Elliptic Curve Cryptography)
Decrypt signature
with public key
Validate data
Generate and store random challenge

7. Registration challenge
7
FIDO Authenticator
(USB key)
FIDO Client
(Browser or App)
Relying Party
(Website)
app id, challenge
Sign challenge, public key,
app id and key handle
pub key, handle,
sig(challenge, pub key, handle, app id)
Decrypt signature
Validate data
 Authenticator generates new public/private key pair for each registration
 Additional data during registration:
 Application id (challenge)
 Public key + key handle (response)
app id, challenge
Generate key pair and key handle
pub key, handle,
sig(challenge, pub key, handle, app id)
Store pub key, handle in account
Generate and store random challenge

8. Authentication challenge
8
FIDO Authenticator
(USB key)
FIDO Client
(Browser or App)
Relying Party
(Website)
Generate and store random challenge
handle, app id, challenge
Sign challenge and app id
sig(challenge, app id)
Decrypt signature
Validate data
 Additional data during authentication:
 Application id + key handle
Find private key for key handle
Grant access
handle, app id, challenge
Find key handle in user account
sig(challenge, app id)

9. 9
Advantages

10. Strong privacy
 Only guarantee of successful authentication challenge :
 Same U2F key used for auth and registration
 No unique identifier for the key
 New key pair generated at every registration
 No reliance on shared secret with the website (contrary to OTP)
 A single U2F key can be used:
 By same user on 2 websites
 By 2 users on 1 website
 By 1 user creating 2 accounts on same website
 website can’t track the user by U2F key usage
 Tracking is still possible by other means, of course
10

11. Protection against website security breach
 OTP is vulnerable to security breach
 If attacker steals shared secret, he can generate passwords
 If the attacker steals U2F public key and key handle
 Public key cryptography makes them useless for attacker
 He can’t compute the private key
 So he can’t authenticate on legitimate site
11

12. Protection against MITM or Phishing
 Attacker intercepts and forwards user’s requests
 Phishing mail with link to hacker’s site mimicking legitimate site
 DNS spoof to redirect goodsite.com to hacker’s server
 …
 OTP is vulnerable
 One-Time Passwords are still passwords
 If the attacker can use it before the user, he wins
12

13. Protection against MITM or Phishing
 U2F challenge message contains legitimate site’s app id
 If the attacker doesn’t change the app id (https://goodsite.com)
 Browser knows challenge comes from wrong site (https://hacker.com) or
using wrong protocol (http://goodsite.com using DNS spoof)
 Browser denies usage of U2F key
 If the attacker changes the app id
 U2F key signs attacker’s app id with its private key
 Legitimate site can see the app id in response doesn’t match his own
13

14. Support for unlimited number of websites
 OTP requires client and server sharing a secret
 Not a problem for software clients (e.g. Google Authenticator)
 Cheap hardware has very limited storage
 Yubikeys using OTP support at most 2 sites
 U2F private key is retrieved from key handle
 Software clients use key handle as index in private key map
 Hardware clients can encrypt part of private key in key handle
 Uses no storage  very cheap device
 Safe as long as nobody else can decrypt key handle
14

15. Support for unlimited number of websites
 Yubico’s implementation
15

16. Questions ?
16

17. We’re changing the world… one password at a time
Dashlane wants to make identity and
payment simple and secure everywhere!
17
Want to be a part of life in the Dashlane?
Visit dashlane.com/jobs for all the info!
Dashlane is a premier, award-winning password manager and
digital wallet, intrinsically designed to make identity and payments
simple and secure on every website and every device.
We’re a rapidly growing, tech startup using the world’s best security
and privacy architecture to simplify the lives of more than 3 billion
Internet users worldwide.
Since our first product launch in 2013, our brilliant team of engineers and developers tirelessly work on new coding challenges, build code using
the latest up-to-date frameworks for native development across desktop and mobile, use cutting-edge web service architecture, and are at the
forefront of building applications that help millions of people every day!
So far, all of our hard work has been paying off! Dashlane was recently recognized by Google as one of the “Best of 2015” apps! Google also
recognized our Android password manager as an Editors’ Choice winner on the Google Play Store, and selected Dashlane to demo its adoption
of Android M fingerprint technology at Google I/O!

18. We work with the latest technology!
See our code in action! Check out some of our
projects on Github!
Github.com/Dashlane
In addition, each member of the Dashlane team can take some time to
share his insights in Tech Conferences and become a thought leader
in the tech community.
18
Alexis Fogel
@ Droid Con
Goo.gl/7h4guk
Emmanuel Schalit
@ The Dublin
Web Summit
Goo.gl/M4H7vg
Emmanuel Schalit
@ Le Wagon
Goo.gl/kvPLG0
Desktop Mobile Web App/Server Security
Dashlane is dedicated to building high-quality user experiences on Mobile, Desktop, and on the web using the latest up-to-date
technologies and languages.

19. Ready to join #LifeInTheDashlane?
We’re filling our ranks from top to bottom with
some of the smartest and friendliest developers
and engineers in the industry! Come join us!
Visit Dashlane.com/jobs to learn more about
joining the Dashlane team!
19
Dashlane.com/stackoverflow
Dashlane.com/linkedin
Dashlane.com/vimeo
Dashlane.com/blog
Also visit us here: