Intel and Dashlane are using an innovative, convenient approach to two-factor authentication (2FA) utilizing the U2F protocol.
Dashlane has implemented built-in U2F support for all Windows machines running Intel’s 8th generation chips. Dashlane is an Official Intel Software Partner and the only password manager to support this innovative technology.
What is U2F?
U2F stands for Universal Second Factor. It is an open-source authentication method using USB or NFC devices, standardized by the FIDO Alliance.
If you have your data secured with U2F, you own a physical device (like a Yubikey) which you plug in to your computer as a second-factor of authentication in order to access your data.
Instead of generating a unique code via SMS, email, or a third-party application, the user plugs a physical device through the USB port of his computer and pushes a button on the device to allow the authentication to occur. The reason a physical button needs to be pushed is to prevent a rogue app or website from using the device to silently authenticate without the user knowing.
How U2F Works
When registering a U2F device for a website, it generates a random number which is mixed with the domain name using a hash function (HMAC-SHA256) to generate a public key. This generation uses a secret key which never changes nor leaves the device. Then, the public key and the random number are sent to the server. At this point, your device is registered and linked to your account with the next step being the actual authentication.
When logging into your account, the server will generate a random number which is called a “challenge” and sends it to the device along with the random number generated during the initial registration. Using this number, the device re-generates the private key and uses it to sign the challenge and then send it back to the server. Once the signed challenge is received, the server verifies that the signature on the challenge corresponds to the public key stored during the registration and grants access.
Dashlane already supports this protocol through our partnership with Yubico to provide a solution for their Yubikeys.
What is Intel’s Innovation with U2F Protocol?
Intel’s 8th gen CPUs abide by the U2F protocol, but remove the necessity for an external key, instead relying on the existing CPU hardware as a second factor of authentication.
What that means is that instead of requiring an external U2F key (like a Yubikey), the U2F tech is built-in to the 8th gen CPU, and acts exactly like an external U2F key with regards to registration and authentication. So a user simply needs to be on an 8th gen Intel device, and the device itself acts as the second-factor of authentication.
How Intel’s U2F Protocol Works
Let’s go back to the step in U2F protocol where the device (or, Yubikey) generates the public key.
In that case, the device doesn’t automatically generate a public key when requested. In addition to being plugged into the computer’s USB port, the user is required to perform a physical action (tapping the button).
In the case of Intel’s 8th gen CPUs, there is no physical button to push because U2F is built-in to the device.
How did Intel use innovation to include this button press action without the presence of a physical device?
With Intel’s innovation, the hardware takes control of the display on the screen and overrides Windows (thus separating the display from the operating system — this means that if a malicious agent remotely gains access to your operating system, they won’t see the same display as you, and therefore can’t view the blue square on your screen). A blue square becomes visible on the screen, and acts as a physical button — clicking your mouse on the screen’s blue square is akin to pushing the physical button of a U2F device.
How do we know that this method is as safe as a physical U2F device?
As mentioned above, by overriding the display, the operating system is not aware of what is showing on the screen. So, if a malicious attacker attempts a remote takeover of your Intel 8th gen computer, they will get the display from the operating system, which won’t display the blue button — because the operating system isn’t aware of the U2F process. This ensures that there is someone currently in front of the screen.
How Intel’s U2F Protocol Works With Dashlane
This technology has the potential to greatly improve the security of a user’s data, but it’s no use if the user doesn’t know how to use it. The user experience is different than with a regular U2F key, so we wanted to adapt our application’s design to make it more intuitive to use.
The main issue we ran into is in regards key registration.
If the user has never used Intel’s U2F before, he will see a pop-up with a blue button appearing out of nowhere and wonder what is happening to his device.
To avoid any confusion, we created a mini-onboarding for Intel’s innovation (we have a similar onboarding for physical U2F devices).
This onboarding first checks if the CPU is compatible (ex. 8th generation) and then asks the user if he wants to register his computer. If the user agrees, Dashlane warns the user of what is going to happen: a window with a blue square will appear and the user should click on it. The blue square popup appears only after the user is notified via Dashlane, and therefore the user is ready to click the blue square, instead of being surprised or curious about it.
This Dashlane warning doesn’t appear again, since the user has already gone through the process and understands why the blue square is appearing.
By making Intel’s U2F innovation easy-to-use for all Dashlane users, we hope to raise awareness and adoption of two-factor authentication across all sensitive accounts on any device.