The number of phishing attacks has increased to an immense level during the past few years. This is because the attackers are efficiently implementing the advanced technology in their attacking techniques. Being a victim of these attacks, many companies are now employing effective and complex security techniques to avoid phishing attacks such as the Universal 2^nd^ Factor (U2F) protocol. In this article, you will learn the working concept of U2F and why it is considered more secure than other multifactor authentication techniques.

U2F Protocol

Universal 2nd Factor (U2F) protocol (or hardware-based 2-factor authentication) was introduced in 2011 featuring a built-in mechanism to verify that the user is on a right website without requiring the user's involvement. It is an open standard for 2FA consisting of public-key cryptography. U2F has undergone many technical improvements to better serve Chrome, Gmail, and many other browsers. In 2019, Web Authentication API was announced as the new global standard based on FIDO U2F security keys for securing the modern browser against phishing attacks. But by that time, Google mitigated phishing attacks through its 85000 employees using hardware tokens.

How does Hardware 2FA (or U2F) Work?

U2F works on the principle of public-key cryptography to verify the identity of users. In this mechanism, a pair of keys, mathematically connected, is used: one key is called as the public key and the other one is the private key. In U2F, the private key is generated through a unique process that is secretly embedded and cannot be disclosed from your U2F token. The key pair works in a way that the text message encrypted by a public key and sent to you can only be decrypted by the private key that you have, no one else can unlock it otherwise. The working of U2F consists of two steps discussed as follows:


For registration of the security token, the server sends a random number to a user's device along with an AppID which is a unique URL for the app, such as After receiving the information, the user is directed to accept the request by clicking a press button on the hardware token. The hardware token will generate a nonce and link it with the AppID and the secret key using HMAC-SHA256 for the generation of a private key. This private key is then used to generate the public key. The public key and nonce are stored in the server to use later during the authentication.


For authentication, when users enter their username and passwords, the server remembers that a security token is registered with this user and thus, generates and sends back a new random number with the AppID and nonce created during the registration step. Again, the user will be asked to click a press button on the hardware token which will re-create the same key pair generated during the registration process using the received information. The user's device will encrypt the random number sent by the server with the private key and send it back to the server. This random number can only be decrypted by the public key derived from the same private key which is already stored in the server during the registration step. The server will use the stored public key and try to decrypt the random number. If the decryption happens successfully, it means the user is authenticated.

Why Hardware 2FA is better than software 2FA?

There are several advantages of hardware 2FA over software 2FA:

  • Hardware 2FA is more resistant to phishing attacks than software 2FA.
  • More secure and leak-resistant than software 2FA. Software 2FA is based on a shared secret between the user and the server. If the shared secret gets leaked from the server, the attacker can use it to generate the correct passcodes.
  • However, in case of hardware 2FA, if the public key is leaked from the server, the attacker can't open the account unless he has the private key as well.
  • Hardware 2FA cannot be misused remotely by automated bots.
  • Hardware 2FA authenticates users four times faster than the authenticator apps.
  • However, U2F has one drawback that it does not provide backups to users which can be an issue in case a user loses his token.

Driving Up the Adoption of U2F

Unfortunately, the adoption rate of U2F is very low due to two issues:

  • To use U2F, users are required to buy a hardware token
  • Applications are required to implement protocol to enable users to use them in the beginning

The popularity of U2F is not as much as of SMS and software 2FA as it is not well-supported. If you want your users to use U2F, Auth0 provides you the option as it supports WebAuthn with FIDO (U2F) security keys.

Testing SMS and 2FA hardware

If you use two factor authentication you should definitely test it. MailSlurp provides phone numbers via API for testing SMS authentication and verification. Create a free account today.