Double authentication via the U2F standard is often perceived as a solution that can only be used on a computer with a USB key. But this is not the case, even if manufacturers and developers do not always play the game. The Feitian FIDO Multipass is a perfect example.
Last month, Google announced the implementation of its Advanced Protection Program, a feature that everyone can activate on their account. It limits access to third-party applications, is more restrictive in the event of a fraudulent connection attempt and makes it mandatory to use U2F security keys.
U2F: USB, but not only USB
Problem: While this FIDO Alliance standard is often used via USB devices, its use is a problem for smartphones. However, there are solutions, such as NFC. The manufacturer Yubico has been offering a compatible model for some time now, the Neo. Unfortunately, due to Apple’s limitations for NFC under iOS (see our analysis), it can only be used on Android.
Google therefore recommends to choose another model, as the main and cross-platform key: the Multipass FIDO from the Chinese manufacturer Feitian. This one offers a USB port but also manages NFC or Bluetooth Smart. This ensures that it works in desktop browsers, Android and iOS.
It is only available on Amazon, which takes care of its shipment, for just under 22 euros. Intrigued, we ordered it to see what it allows and how it is used in practice.
Bluetooth Smart or NFC: each with its own strong point
First of all, a reminder: U2F is a standard for double authentication. This means that it allows you to complete your username and password with a random code to ensure a secure connection to compatible services. This code is obtained through a security key, which must therefore be connected to the device.
This can be done via USB, but also wirelessly via NFC or Bluetooth Smart (formerly LE, for Low Energy). The latter solution was formalized in mid-2015. As mentioned above, depending on the platform, you can use this or that solution.
If you only connect from a computer, USB will suffice, under Android NFC will have the advantage of being a solution supported by several products, Bluetooth to be integrated into almost all smartphones. Under iOS, only Bluetooth can be used, Apple still severely limits the possibilities of NFC on its mobile platform.
Here, you will only have the choice between two references, the one of Feitian being chosen by Google. Yubico said he was working on the subject last year, but has not yet formalized anything since.
Feitian Multipass FIDO U2FFeitian Multipass FIDO U2F
A compact key, with a female Micro USB port
The Feitian FIDO Multipass is a small key ring (47.3 × 29.3 × 8.3 × 8.3 mm) with one button and three LEDs on the front: Bluetooth, NFC and… the state of charge. Because the first specificity of a Bluetooth security key (even Smart) is that it includes a battery.
It is rechargeable by USB (5V, 22 mA), its announced capacity is 35 mAh for a three-month autonomy at an average rate of ten connections per day. The port is a female Micro USB type. A cable will therefore be required to connect the key to a computer, which is less convenient than models with a Type-A or C male USB port.
At the back, there is the key reference and its Bluetooth pairing code. All this is delivered in a rather minimalist bundle with a short start-up guide (in English) and a USB cable. The complete manual is available in PDF format on the Feitian website.
A fairly simple use, an application to install for Google under iOS
For the moment, dual U2F authentication from a mobile device is not offered by almost any service except Google. If we hope that its support will expand, we used the solution of the American giant to test our product of the day.
As expected, the operation is quite classic. In a computer browser, connect the key is enough. This is the preferred method to add it to your account, through the security settings. We will regret in passing that, although Firefox now supports U2F, Google still requires the use of Chrome. Here, do not rely on the use of Bluetooth or NFC, only USB can be used.
Under Android, everything will also be native with the use of NFC. Thus, when adding a Google account, it will be enough to present the key on the smartphone’s detection zone (which must therefore be activated) for the double authentication to be validated. If you choose Bluetooth, you will need to have paired the key with the device beforehand.
To do this, simply press the button on the front panel for 5 seconds (without the USB connected), the Bluetooth LED flashes. This is a sign that the key can be added by confirming the code on the back of the key.
Under iOS, only Bluetooth can be used. This procedure will therefore also be necessary, but Google requires that the connection be made through a specific application: Smart Lock. It is currently the only way to manage validation in two steps under Apple’s mobile OS.
It checks that the Bluetooth pairing has been performed. If this is the case, your connection will be validated and you can then use your Google account from any other application of the Internet giant.
Google Smart Lock U2F iOSGoogle Smart Lock U2F iOSGoogle Smart Lock U2F iOSGoogle Smart Lock U2F iOSGoogle Smart Lock U2F iOSGoogle Smart Lock U2F iOSGoogle Smart Lock U2F
U2F: the ball is on the developers’ side (and Apple’s)
In the end, the Feitian FIDO Multipass key is a product that will have the advantage of being inexpensive (be careful with customs fees in case of import), compact and compatible with the main OS. Those who wish to use it can use it in addition to a more traditional security key, directly comprising a male USB port.
However, it will continue to be regretted that developers do not more fully implement U2F within their applications. It is still too rare to see its use proposed on a mobile device, while Bluetooth and NFC solutions are available. Once again, Google is one of the few that is really responsive in this area, and that’s a shame.
Let’s hope that the arrival of Firefox and this kind of multi-interface keys will encourage them to take things a little more seriously. It is also to be hoped that Apple will eventually change its shoulder rifle to NFC to allow the use of a larger number of security keys. It could not be otherwise from a company that claims to put the security and privacy of its customers first.