Computing Degree Show 2018

A U2F device attached to a key ringIt is possible to configure U2F using security-comparator.U2F loginPassword settingsU2F settings

U2F: Complex Passwords are unnecessary

GitHub repository

Online services have traditionally relied on passwords for authentication, a convenient choice for developers as it is very easy to implement. To mitigate against its vulnerabilities, users are often required to choose long and complex passwords as well as to use a two-factor authentication mechanism, such as entering codes received sent their phone number. These two additional security measures however lead to a poorer user experience.

U2F is one of the most recent and promising attempts to augment online security in a more usable way. It increases the security of online authentication via a simple and affordable hardware device that attaches to a key ring. This improves upon present two-factor authentication mechanisms and removes the need for complex passwords.

In spite of its potential U2F remains a technological oddity rarely offered by online services. In an effort to increase its adoption, this project develops auth-abstractor, a PHP library for easily adding support for U2F to a new or existing web application. Another contribution of this work is security-comparator, an online service that uses the library to collect and compare results about users’ performance when using different security strategies (e.g. a complex passwords versus a simple-password combined with U2F).

Louis-Marie Matthews