Questions tagged [fido2]
FIDO2 (Fast IDentity Online 2) is a technical specification for biometric authentication to online services, based on FIDO Alliance CTAP2 protocol and W3C consortia's WebAuthn standard. FIDO2 is based on previous FIDO Alliance project U2F
29
questions
0
votes
0
answers
14
views
ssh-keygen fido2 keys without password [duplicate]
ssh-keygen -t ed25519-sk -O resident -C "yubikey-fido1
My understanding is that I should be able to generate openssh keys with fido2 without password and require touch-only. While that opens up ...
1
vote
0
answers
313
views
Is it possible to see the pubkeys that pair with private keys inside the TPM in Windows?
Is it possible to inspect data (pubkeys, domain names used for webauthn, not private keys) related to private keys stored in the TPM on Windows?
I legally own the hardware and have maximum ...
2
votes
2
answers
137
views
Can Fido2 hardware tokens be used for key agreement or Diffie-Hellman?
With Fido2 becoming more popular we see more and more affordable Fido2 hardware security keys on the market.
Can we use those tokens also for establishing a shared secret between two tokens?
I would ...
0
votes
0
answers
114
views
Passwordless authentication using expiring hardware keys
I am looking for a solution to implement passwordless authentication using expirable hardware keys. It is for devices around the world with Windows OS, and sometimes service technicians have to do ...
3
votes
2
answers
445
views
FIDO2: should I set user verification to "discouraged" with two-factor authentication?
I provide a web application that uses FIDO2 for two-factor authentication. Recently I got reports that Windows users have to enter a PIN each time they use their hardware token. As far as I understand,...
0
votes
0
answers
349
views
FIDO2 security keys - what attack vectors/weaknesses exist for "bad" keys
What attack vectors exist for "bad" FIDO USB keys? What would the weaknesses of a "bad" key be? How could they be compromised?
This came to mind as I was looking at "make ...
1
vote
0
answers
1k
views
Reading SSH private key physically stored on yubikey to remote into external PC
I was wondering if it's possible to only store and read a ssh private key on a yubikey and not read the private key the yubikey generated from a client computer?
Currently the only way it seems to ...
3
votes
1
answer
811
views
Is FIDO2 authentication vulnerable to a social engineering replay attack?
I'm starting to learn about the FIDO2 standard, and I'm wondering if this scenario is possible...
Victim visits a credential harvesting page and enters their credentials
Credential harvesting backend ...
3
votes
2
answers
3k
views
Can I use Yubikey to encrypt a file without PGP?
I have a Yubikey 5 Series and would like to use it to encrypt a file, so that a physical presence of my Yubikey would be required to decrypt it.
I know you can save a PGP key onto Yubikey and use it ...
1
vote
3
answers
2k
views
Why are FIDO2 protected SSH keys affected by phishing attacks?
The OpenSSH developers have written in a description of the "agent restrictions" feature that FIDO2 tokens are vulnerable to phishing attacks: https://www.openssh.com/agent-restrict.html
...
0
votes
3
answers
1k
views
How could someone's account that is secured by MFA Yubikey be compromised?
Let's say that I purchased a MFA Yubikey device to secure my accounts. If an attacker wanted to compromise my accounts that are secured with this YubiKey, would this be possible without having the ...
0
votes
1
answer
632
views
Can FIDO2 Authentication be used for native application?
I'm currently working on a project, which has a Web API, which is to be consumed by a native application. For the sake of brevity, assume that the application cannot be re-written to be a Web ...
0
votes
1
answer
570
views
How exactly does the detection of a cloned FIDO2 credential work?
I am trying to understand the FIDO2 standard. I know that a Relying Party has to implement a mechanism that checks the counter of the respective credentials. Most of the time, a counter is stored in ...
1
vote
1
answer
395
views
Why isn't U2F's CTAP protocol forwards-compatible with FIDO2's CTAP protocol?
I've been trying to find the major differences between "U2F" versus "FIDO2" two-factor authentication standards. Reading some of the articles posted by different companies and even ...
1
vote
0
answers
392
views
Avoiding Replay Attacks while Using FIDO2's HMAC Secret to Encrypt Data
FIDO2's HMAC Secret extension generates a symmetric secret that can be used to encrypt and decrypt data. HMAC secret's output is based on
output1: HMAC-SHA-256(CredRandom, salt1)
Where salt1 is from ...