Reference: Yubico

---

Glossary

FIDO Alliance

• an open industry association
• adopt certain standards of authentication

FIDO Universal Second Factor (U2F)

• developed by Yubico and Google
• A protocol designed to act as a second factor to strengthen existing username/password-based login flows.
• built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported

Three main ways tp use the FIDO U2F in authentication

1. passwordless or without a token

2. with a hardware security key

3. Mobile uses NFC with a security key

   

References:

• fido-u2f
• FIDO U2F

FIDO U2F Certified

FIDO Alliance manages functional certification programs for its various specifications (e.g. U2F and FIDO2) to validate product conformance and interoperability.

FIDO 2

FIDO 2 is an extension of FIDO U2F which provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows.

Auth options offered:

• strong single factor (passwordless)
  • Authentication + touch/tap
• strong two factor
• multi-factor (MFA)
  • authentication + touch/tap + PIN

Types of 2FA

• Hardware Security Keys
• SMS 2FA
• Authenticator Apps
• Mobile Push

OATH

OATH is an organization that specifies two open authentication standards:

• TOTP

  • 6-8 digit code that changes every 30 sec
  • code is generated using HMAC(sharedSecret, timestamp)

• HTOP

  use an authentication counter.

  • require no clock
  • will be susceptible to losing counter sync.

One-Time Password(OTP)

An OTP is typically sent via SMS as a part of two-factor authentication. The NIST organization has recently deprecated SMS as a weak form of 2FA.

OpenPGP

OpenPGP is an open standard for signing and encrypting. It enables RSA or ECC sign/encrypt operations using a private key stored on a smartcard (such as YubiKeys), through common interfaces like PKCS#11.

GPG?

GPG (GnuPG) is a complete and free implementation of the OpenPGP standard.

PGP

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication.

PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.

Personal Identity Verification (PIV)

A PIV credential is a US Federal governmentwide credential used to access Federally controlled facilities and information systems at the appropriate security level.