Doubling down: How Universal 2nd Factor (U2F) boosts online security
Passwords have long been the bedrock of online security, but the vulnerabilities are obvious, ranging from human error to phishing attacks. Universal 2nd Factor (U2F) could significantly enhance online authentication, complementing tried-and-trusted methods to bolster user safety.
It’s increasingly clear that passwords alone simply aren’t enough. If a password is stolen or otherwise breached, the consequences can be serious. According to the Verizon 2024 Data Breach Investigations Report (DBIR), stolen credentials appeared in almost a third (31%) of breaches over the past decade.
Even if your password is strong, it doesn’t mean you’re safe. While poor choices like ‘password’ or ‘123456’ featured among the top five stolen passwords identified in the Specops Breached Password Report 2025, we also found that almost a quarter of the stolen passwords analysed (230 million) had actually met standard complexity requirements.
There’s also the common error of reusing passwords across multiple accounts. Indeed, a survey from LastPass found that 59% of respondents used passwords across multiple accounts, even though the vast majority (91%) understood the risks involved. Beyond that, even the best passwords can be vulnerable to phishing attacks and malware, from Redline to Vidar to Raccoon Stealer.
U2F advantages
So how can U2F help? As the name suggests, the concept relies on two factors to bolster security – typically a password and a physical device, similar to a key fob.
The user plugs in their credentials as usual. However, to gain access they must then pass through a second security step, typically through a U2F device which has been registered online to create a new ‘key pair’.
The device is inserted into a USB port and the system then cryptographically ‘challenges’ its key, ensuring they correspond before granting access. The concept is backed by some of the biggest names in global tech: it’s overseen by the FIDO Alliance, an open industry association whose members include Google, Microsoft, Amazon, and many other industry giants.
U2F offers clear security advantages to users – and more.
Let’s look at a few of the benefits:
- Stronger security: Most importantly, the use of a hardware token and cryptography provides a robust secondary form of authentication. It makes it far more difficult for an attacker to gain unauthorized access.
- User convenience: The approach is highly user-friendly, particularly when compared to other potential secondary factors, such as SMS-based codes. It’s easy to use once you have it all set up: you simply insert your device into the USB drive.
- Wide availability: Because U2F is a universal authentication method, it’s found across a range of systems. It’s already built into popular browsers like Firefox and Chrome.
Secure your Active Directory passwords with Specops Password Policy
Verizon’s Data Breach Investigation Report found stolen credentials are involved in 44.7% of breaches. Effortlessly secure Active Directory with compliant password policies, blocking 4+ billion compromised passwords, boosting security, and slashing support hassles!
Try it for freeOvercoming the obstacles
As with any emerging technology, U2F presents challenges. While it is indeed relatively inexpensive, it’s not completely free, unlike many apps that can be used in authentication. Still, it isn’t overly costly to buy the keys, with a range of options available from providers like Yubico. More importantly, the small investment could well pay dividends, particularly when contrasted with the financial risks of losing access to your online accounts.
It's also a new technology, so may require a degree of user education before it’s used effectively (to register and operate the device, for instance). However, the process is relatively simple, while organizations could implement training programmes to educate their employees.
Perhaps most seriously, there are always risks when you rely on a physical item like a hardware token. Quite simply, you could lose the key: it might fall off your key chain, for instance, or become lost if it’s still left in your USB drive and you misplace your laptop or other device. But the same could be said for any number of items we use in our daily lives, from car keys to credit cards.
The enduring value of passwords
Of course, even if you do lose the key, that doesn’t mean someone can use it to gain access to your accounts. The data inside the keys can’t be accessed by criminals. What’s more, they’d lack access to your first line of defence: your username and password.
Because despite the (welcome) evolution of online security, these traditional defenses aren’t going anywhere. Passwords provide significant enduring benefits. They’re simple to use, flexible, and even with the dangers of breaches and hacks, they’re still effective: a password is right or wrong.
For as long as people use passwords, companies will need to protect their active directories, ensuring they are clear of compromised or weak passwords. With Specops Password Policy, users are prevented from creating weak passwords, while the technology also scans your Active Directory for breached or compromised instances, currently blocking a growing database of over 4 billion unique breached passwords.
It’s clear that two-factor and multi-factor authentication (MFA) will be central to complementing password security in the coming years, with the long-term impact of technologies like U2F enhancing online safety well into the future.
But that security is built on two stages. It will always be vital to ensure your passwords are up to scratch – no matter how other technology evolves. Interested in shoring up your organization’s password security?
Sponsored and written by Specops Software.
NSO Group fined $167M for spyware attacks on 1,400 WhatsApp users
Medical device maker Masimo warns of cyberattack, manufacturing delays
Free online web security scanner
