tl;dr: U2F is important as it is the most secure option to protect your accounts. Activate it wherever possible.
In fact, U2F is so important that every email service should support it.
The reason is simple: Your email account is the gate to your online identity. Services like Amazon, Twitter, PayPal and others are linked to your email account, and passwords to these services can be easily reset if a malicious attacker has gained access to your mailbox.
That's what FIDO U2F protects you from. If activated on your email account, for instance at Tutanota, it will be close to impossible for malicious attackers to take over your mailbox.
U2F is an open authentication standard that uses one key for multiple services. It simplifies and elevates the security provided by 2FA (two-factor authentication) as no drivers or client software is needed.
Universal second factor authentication refers to a separate device that holds a secret, extra key required to log into your digital account(s). Instead of entering a certain code (OTP), you just need to plug a device as second factor.
U2F is not the same as 2FA: 2FA is two-factor authentication that includes all methods for the second factor (SMS, TOTP, U2F and more). U2F is just one option on how to set up two-factor authentication - though the most secure one!
There is one significant disadvantage of U2F solutions in comparison to TOTP (which uses a shared secret): For U2F there is no option to back up recovery codes of shared secrets.
If a hardware key is lost, it will become impossible to login to the services and apps that were originally secured with this hardware key. Thus, most services offer a way to reset the login credentials to regain access.
For instance, Tutanota offers a recovery code that must be entered along with the correct password to reset (in this case: remove) a lost U2F hardware key. Additionally, it is possible in Tutanota to register multiple hardware keys. If one gets lost, users can still login with one of the other registered U2F keys.
U2F – second-factor authentication with a hardware security key – is the most secure way to protect your online accounts from malicious attacks.
It is also more secure than second-factor authentication via OTP or TOTP, that’s why we at Tutanota highly recommend to activate a hardware key to protect your encrypted mailbox.
U2F hardens your login credentials, which makes sure no one can take over your accounts - not even after a successful phishing attack.
Phishing emails are becoming more and more sophisticated which increases the risk of falling for such attacks. The sender of the phishing email usually tries to make you click a link where you are supposed to enter your password. Should this happen, the attacker can then easily steal your password and take over your account.
However, if a second factor like U2F has been activated on your account, the password will be useless to the attacker and your account will be safe.
On top of that, a U2F-enabled user login is bound to the origin; this means that only the real site can authenticate with the key (second factor). The authentication will fail on any fake phishing site even if the user was fooled into thinking it was real.
For the user, U2F is really simple. You can activate the same U2F hardware key on all your accounts, such as Tutanota, Amazon, or Twitter. When you login, you enter your user name and password, and then you simply need to stick the USB-like hardware key into your device and tap it to finish the authentication process.
On a technical side, the process is much more complex. The Fido Alliance explains the process like this:
“The U2F device and protocol need to guarantee user privacy and security. At the core of the protocol, the U2F device has a capability (ideally, embodied in a secure element) which mints an origin-specific public/private key pair. The U2F device gives the public key and a Key Handle to the origin online service or website during the user registration step.”
“Later, when the user performs an authentication, the origin online service or website sends the Key Handle back to the U2F device via the browser. The U2F device uses the Key Handle to identify the user's private key, and creates a signature which is sent back to the origin to verify the presence of the U2F device. Thus, the Key Handle is simply an identifier of a particular key on the U2F device.”
“The key pair created by the U2F device during registration is origin specific. During registration, the browser sends the U2F device a hash of the origin (combination of protocol, hostname and port). The U2F device returns a public key and a Key Handle. Very importantly, the U2F device encodes the requesting origin into the Key Handle.”
“Later, when the user attempts to authenticate, the server sends the user's Key Handle back to the browser. The browser sends this Key Handle and the hash of the origin which is requesting the authentication. The U2F device ensures that it had issued this Key Handle to that particular origin hash before performing any signing operation. If there is a mismatch no signature is returned. This origin check ensures that the public keys and Key Handles issued by a U2F device to a particular online service or website cannot be exercised by a different online service or website (i.e., a site with a different name on a valid SSL certificate). This is a critical privacy property -- assuming the browser is working as it should, a site can verify identity strongly with a user's U2F device only with a key which has been issued to that particular site by that particular U2F device. If this origin check was not present, a public key and Key Handle issued by a U2F device could be used as a 'supercookie' which allows multiple colluding sites to strongly verify and correlate a particular user's identity.”
”The user is able to use the same device across multiple sites on the web -- it thus serves as the user's physical web keychain with multiple (virtual) keys to various sites provisioned from one physical device. Using the open U2F standard, any origin will be able to use any browser (or OS) which has U2F support to talk to any U2F compliant device presented by the user to enable strong authentication.“
Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices. It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).
While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance alone.
You will find a list of all services that are supporting U2F keys here.
The U2F eco-system is designed to provide strong authentication for users on the web while preserving the user's privacy.
The user carries a 'U2F device' as a second factor that logs them into their online accounts. This way, these accounts can be kept secure, also from phishing attacks.
U2F hardware keys are a great achievement as these make sure that people and their online accounts are kept secure on the web.