fido-u2f


Why is U2F login a two-step protocol?


In theory, logging-in with a registered token could be accomplished in a single step...
server sends challenge with the login form
user responds with username, password and signed challenge.
However the FIDO protocol adds an additional step...
user submits username/password
server sends challenge to the user
client submits signed challenge
What is the security rationale for the additional step?
Short answer
Because there are several keys on the FIDO U2F device and anonymity/privacy is assured between different services.
Details
Each time a user associates (enrollment/registration step) a FIDO U2F device (USB Token/Security Key or NFC Card or BLE device soon) with his online service account, a new key pair is created for this identity with a reference id (Key Handle), public key and key handle are sent and stored on server side. Key pairs (identities) are not shared between different online services (e.g. the key pair created for a Gmail account won't be used for a Facebook account).
Once a key pair is created, when the user sends his username and password (the authentication step), server checks which key handle(s) is/are already associated with this account and key handle(s) is/are sent with server challenge to the client (browser then FIDO U2F device) in order to ask for the right private key to be used for the signature.
Side Note: One FIDO U2F device can be associated with several online services accounts. One service account can be associated with several FIDO U2F devices.
More details
Here is a quick FIDO U2F CHEAT SHEET I made to better understand registration and authentication steps because it is easy to get lost inside official FIDO U2F specification:
http://www.neowave.fr/pdfs/FIDO-U2F-CHEAT-SHEET.pdf
the server must know who is going to login, is this case, username must be provided. Which the first process you provided is an identification process that the server needs to retrieve who gonna login in the whole database. While the second one is the authentication process which the server needs to authenticate the user is the right person. Normally, when you login to a certain website, it is an authentication process, that's why we need one more step.

Related Links

Why is U2F login a two-step protocol?
U2F with multi-facet App ID
U2F integration with multiple FacetIDs without Chrome Extension but u2f-api.js

Categories

HOME
spring-data
d3.js
concurrency
stacktrace.js
loopbackjs
dafny
magento-2.0
mathematical-optimization
greasemonkey
jint
angular2-template
scheduler
cocotb
mutation-testing
parsley.js
jpa-2.0
google-cloud-logging
checkout
jaspersoft-studio
renderscript
home
spyder
android-service
npoi
adapter
sparkle
google-play-developer-api
objectmapper
pdfminer
viewcontroller
raytracing
fiware-wirecloud
transparency
permission-denied
linq-to-excel
spongycastle
intellij-lombok-plugin
sony-future-lab-n
brightscript
lightning-workbench
line-intersection
scala-collections
dex
openerp-6
gapi
elastic4s
dmarc
wininet
oci
urbit
polymerfire
certificate-authority
enunciate
grinder
android-mapview
decidable
dnx50
explain
kefir.js
comctl32
inputbox
redpitaya
radius-protocol
particle-swarm
ggts
uitextfielddelegate
java.lang.class
memory-pool
multidrop-bus
microblogging
servercontrol
asio
boost-foreach
botnet
fork-join
sql-parametrized-query
rtd
digiflow
qcar-sdk
dip
mygeneration
resharper-5.0
oracle-pro-c
browser-based
google-translator-toolkit
rtti
acceleration
rootkit

Resources

Encrypt Message