For the first time, Americans will have the option to use a cryptographically secure USB keystick to protect their online accounts on federal government websites.
Owners of online accounts protected by identity-proofing start up ID.me will be able to use keysticks conforming to the Universal Second Factor, or U2F, standard promulgated by the Fast IDentity Online, or FIDO Alliance, ID.me announced Tuesday.
The option will be available to users alongside existing two-factor services, such as a code sent by SMS text message, or a call to a landline, the company said. It’s the first time U2F keysticks — considered a gold-standard protection against phishing and other forms of online identity theft — have been available for use with federal online services.
ID.me did not disclose the three federal agencies it said were buying the company’s identity proofing services — but it has in the past done very public work to provide veterans secure logins on vets.gov. On Thursday, ID.me CEO Blake Hall, himself a veteran, will lead a session titled “‘Un-Phishable’ Authentication at the VA,” moderated by U.S. Digital Service official Julie Meloni, at the AFCEA Federal Identity Summit.
“Thieves can guess or steal passwords from a database and they can spoof biometrics,” Hall said in a statement. “A physical FIDO U2F security key is ‘un-phishable’ – it must be physically stolen from you to compromise your account. ”
Stina Ehrensvard, CEO and Founder of Yubico, the company that co-authored the U2F standard and now makes U2F-compliant keysticks, called the news a “great milestone for open internet security standards, and an important step towards a more secure internet for everyone.”
The U.K. government rolled out U2F-compliant keysticks as its preferred second factor earlier this year. Google, Facebook and other major online services also offer users the option of a keystick to replace phishable or spoofable second-factors like SMS messages or app notifications.