A Look Back at True2F
Recently at Duo Tech Talks we hosted Emma Dauterman of Stanford University for an outstanding presentation on True2F, a joint research project between Stanford and Google surrounding backdoor-resistant security keys.
The True2F work builds on top of FIDO U2F, which is a 2nd-factor authentication standard supported on sites like Google, Dropbox, GitHub, and Duo. U2F, (and similar technologies like WebAuthn), provide strong, public-key based authentication on the web with built-in phishing resistance. Instead of relying on shared secrets, protocols like U2F and WebAuthn use a challenge-response protocol. U2F and WebAuthn authenticators can be physical security keys such as a YubiKey or Google Titan Key, platform authenticators built into computing devices, or can even be software-based.
U2F and WebAuthn provide some protections if faced with malicious websites, (e.g., a phishing site), or even a malicious web browser. However, these protocols currently provide no protection from token faults or backdoors. True2F changes this by providing a two-party protocol for generating cryptographic keys and ECDSA signatures.
Emma’s talk covers the design and implementation of True2F, as well as performance differences between U2F and True2F. The full paper is available online, which goes into even greater detail and provides complete proofs.