Eight months after the National Institute for Standards and Technologies urged government agencies to move from text messages to hardware solutions for two-step verification, the obvious alternative — cheap but secure “U2F” (universal second factor) USB keys — remains mostly absent from federal employee keychains.
That may be disappointing but shouldn’t be surprising. Although federal CIOs can push adoption of these cryptographically signed keys, they face the same obstacle as consumer platforms: limited browser support.
The first widespread federal U2F deployment launched in September at the Veterans Administration Vets.gov site. McLean, Va.-based ID.me added this option in a suite of two-step verification methods including one-time codes delivered to phones and generated by mobile apps.
The phone network is vulnerable to social-engineering attacks to get a carrier to transfer a number, while moving authenticator apps to a new phone can be as tricky as configuring “two-step” from scratch. U2F keys, however, cost only $10 or so and function independent of telecom services and devices. A 2016 Google study found them more efficient and faster than SMS and app verification.
But at Vets.gov, the most popular verification method so far remains text messages.
“Today, the vast majority of users are selecting SMS as their 2FA option, as this is the option they are most familiar with,” ID.me chief marketing officer Julie Filion wrote in an e-mail.
Among vets who have opted to buy a U2F key, associate it with their account, and pop it into a computer’s USB port (some also work with a mobile device’s NFC wireless), ID.me has at least avoided major tech-support burdens.
Vets choosing U2F keys “are typically already familiar with how to use them,” Filion said. “We also note the browser limitation upfront.”
The Department of Defense is researching a broader transformation of identity management, according to Federal News Radio.
(An Apple PR rep said the company couldn’t comment on future products. Microsoft did not answer requests for comment.)
The World Wide Web consortium is now working to make this authentication an official standard, WebAuthn. The head of a major U2F key vendor voiced optimism that this would coax broader support.
“We expect several major browsers’ support to launch later this year,” said Stina Ehrensvard, CEO of Yubico, in an e-mail sent by a publicist.
She also pointed to an upcoming project to add U2F authentication to a single-sign-on system for first responders as well as Yubico’s application for certification under the government’s FIPS 140-2 standard.
That leaves the state of U2F support in government much as it is in the consumer space—it works, but you probably don’t use it. Or as a Forrester report assessed matters last year, U2F is “mature, albeit fragmented.”