8

As you may already be aware, the Universal 2nd Factor (U2F) standard is a standard for 2nd-factor authentication which allows users to authenticate to web applications using a USB hardware token.

While reading up on this standard, I discovered that the Fast IDentity Online (FIDO) Alliance, which created the U2F standard, also has another standard they created around the same time called the Universal Authentication Framework (UAF), which seems very similar to U2F:

UAF and U2F, illustrated

(Source)

These standards seem very similar, with the only significant difference being what authentication mechanism is used in step 2. However, further reading suggests that UAF allows for multiple different authentication mechanisms in step 2:

The passwordless FIDO experience is supported by the Universal Authentication Framework (UAF) protocol. In this experience, the user registers their device to the online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, etc. The UAF protocol allows the service to select which mechanisms are presented to the user.

With this in mind, why is U2F even a separate standard from UAF in the first place? What's so different about U2F that warrants it being an entirely different standard rather than just another authentication mechanism for UAF?

Ajedi32
  • 4,637
  • 2
  • 26
  • 60
  • 1
    See also: http://security.stackexchange.com/q/71590/29865 – Ajedi32 Feb 21 '17 at 16:08
  • In addition to the above mentioned link the U2F standard was finished _before_ UAF and U2F devices were available. So if they tried to design U2F into UAF, they would not get in on the road (if it is even there, yet) – cornelinux Feb 21 '17 at 17:29

2 Answers2

10

From a technical point of view, your question totally makes sense.

U2F and UAF were pushed by very different actors/players. UAF was backed (cough plagued cough) by biometrics companies and never took off for many reasons. U2F is a simpler no-nonsense solution that is now largely adopted by major web services providers like Facebook, Google services (including Gmail, Youtube, Google Ad, etc.), Github, Dropbox, FastMail, Dashlane, Salesforce, etc.

At first, there were no real all-in-on perspectives, but it may be different now. In fact, in the current draft of the next FIDO standard called "WebAuthN" (that used to be called FIDO 2.0 too) we can see as a non-messy UAF successor, FIDO U2F can be used as an "Attestation Statement Format" as you can see here: https://www.w3.org/TR/2017/WD-webauthn-20170216/

So your question makes sense and hopefully, in the future we are following this path.

schroeder
  • 123,438
  • 55
  • 284
  • 319
FredericMARTIN
  • 581
  • 3
  • 8
5

In short, UAF will have a role as a single factor authentication. That is mainly achieved by biometrics in order to replace passwords, to replace "what you know" with "who you are," in addition to some crypto techniques like PKI.

U2F still has a role as a second-factor ("what you have") in addition to username/password ("what you know").

This property makes UAF completely different from U2F; that's why there are two standards. On the other hand, UAF has more operations than U2F which makes it more complex.

Michael
  • 2,391
  • 2
  • 19
  • 36
Qingbao
  • 101
  • 1
  • 6