Multi-factor Authentication (MFA) Token

Managed by the FIDO (Fast Identity Online) Alliance, Universal 2nd Factor (U2F) is quickly becoming the new industry standard for verification. This provides significantly stronger security than a simple username and password authentication scheme by requiring users to provide something they have (a USB token, in this case) in addition to something they know (username and password).

Futurex hardware security modules (HSMs) support multi-factor authentication using FIDO2 U2F USB tokens for accessing the HSM configuration utilities.

Authentication is the process in which credentials are cross-referenced with those in a database of authorized users. In order to be given access, the credentials must match those in the database. The difference between single-factor and two-factor authentication is simple — how many factors are used in the verification process. In single-factor authentication, only a single factor (i.e. typing in a username and password) is used. By contrast, two-factor authentication utilizes something you know (such as a password) and something you have (such a USB token) to create a secure connection between you and the system you are logging into.

If fraudsters were able to steal your password, they would need to have also stolen your USB token before they could access your data. One of the most common examples of multi-factor authentication occurs at an ATM, where users are required to enter a PIN (something they know) and a card (something they have).

The FIDO standard used by Futurex for multi-factor authentication is implemented using USB tokens that connect to the computer being used to access the Excrypt Manager application or HSM web configuration panel.

• FIDO2 U2F is based around a physical USB token that the user possesses
• During the setup process, users enroll a token under their account
• The token must be inserted in a USB port of the computer connecting to the HSM
• After entering the correct username and password, they will be prompted to perform a multi-factor authentication, which involves pressing a button located on the token

• Fulfills organizational mandates for multi-factor authentication
• Protects against sophisticated phishing and man-in-the-middle attack attempts
• USB tokens can be rendered unusable if the device is ever lost or stolen
• The USB token is not battery powered and provides 24x7x365 accessibility regardless of power

The FIDO2 specification relies on public-key cryptography. When registering your FIDO2 USB token, a key pair is created: the private key is retained on the USB token and the public key is registered with the Futurex HSM. In order to authenticate the user, the USB token must prove possession of the private key through signing a challenge. The token is only able to act in this challenge if the user presence is verified by pressing a button on the token itself.

1. Login: Administrator logs in to the Futurex HSM with their username and password. This can be performed either through the Excrypt Manager application, the Excrypt Touch remote access tablet, or the HSM’s web configuration panel.
2. Multi-Factor Authentication Request: The HSM responds with a challenge request to the multi-factor authentication token. The holder of the FIDO2 U2F USB token presses a button on the token.
3. Verification: The response message is passed to the HSM. The HSM processes the request and determines if the message is correct. If the response authenticates, the USB token is confirmed to have the private key and allows the login process to complete.

Excrypt SSP Enterprise v.2 and Vectera Plus HSMs running firmware version 6.6.x.x and above support integration with Futurex-provided FIDO2 U2F tokens.

Multiple FIDO2 U2F tokens may be associated with a single user. Using multiple tokens is a recommended best practice, as it safeguards against being locked out of the HSM due to a token being lost, stolen, or broken. Futurex recommends creating at least one backup FIDO2 U2F token and storing it in a secure, access-controlled location such as a safe.

Organizations are quickly moving past single-factor password authentication in favor of universal 2nd-factor authentication that provides both privacy and usability. For increased security and convenience, Futurex HSMs make this available using a versatile, easy to use USB token. For greater usability, you are instantly authenticated with the insertion of a USB and a click of the human presence button. Implementing a FIDO U2F USB token with Futurex is seamless and occurs within three simple steps.

Contact a Futurex Solutions Architect to learn more about the multi-factor authentication token and begin using it in your enterprise cryptographic ecosystem.