Skip to main content
Information Security

All Questions

Ask Question
Tagged with
9 questions
Newest Active Bountied Unanswered
1 vote
0 answers
1k views

Reading SSH private key physically stored on yubikey to remote into external PC

I was wondering if it's possible to only store and read a ssh private key on a yubikey and not read the private key the yubikey generated from a client computer? Currently the only way it seems to ...
SneakyShrike's user avatar
SneakyShrike
  • 193
3 votes
1 answer
814 views

Is FIDO2 authentication vulnerable to a social engineering replay attack?

I'm starting to learn about the FIDO2 standard, and I'm wondering if this scenario is possible... Victim visits a credential harvesting page and enters their credentials Credential harvesting backend ...
Sean W.'s user avatar
Sean W.
  • 845
1 vote
1 answer
396 views

Why isn't U2F's CTAP protocol forwards-compatible with FIDO2's CTAP protocol?

I've been trying to find the major differences between "U2F" versus "FIDO2" two-factor authentication standards. Reading some of the articles posted by different companies and even ...
natevw's user avatar
natevw
  • 131
2 votes
1 answer
3k views

Implementing FIDO2 (WebAuthN) in Native iOS

I am currently investigating the idea of implementing FIDO2 (WebAuthN) support in native iOS using Swift. I understand that there is no FIDO2 support in native iOS, and only available through Safari ...
Go James 's user avatar
Go James
  • 21
1 vote
1 answer
360 views

FIDO2 - Where do Android and IOS platform authenticators store private key credentials?

I'm new to FIDO2 specification. I'm aware that Android and IOS devices support FIDO2 protocols (even Android phones could act as a physical key for FIDO2 authentication). However, Could anyone let me ...
Danh Thanh Nguyen's user avatar
Danh Thanh Nguyen
  • 11
1 vote
0 answers
126 views

WebAuthn Variation with non-connect dongle Authenticator

As I read through the WebAuthn / FIDO2 documentation, it appears the authentication is done on the local device to create an attestation to the FIDO server. This future implies the "biometrics" or ...
mazecreator's user avatar
mazecreator
  • 111
6 votes
2 answers
322 views

Does injecting my own key material into the authenticator undermine authenticator's attestation?

I'd like to be able to inject my own key material in the FIDO2 authenticator; at the very least it will remove the need to trust the vendor (because we have no guarantee whether the vendor keeps ...
Dmitry Frank's user avatar
Dmitry Frank
  • 195
18 votes
1 answer
7k views

FIDO and FIDO2 differences

I've been reading both FIDO and FIDO2 specs for a while tring to understand the similarities and differences between both. Here is how I broke it down so far: FIDO: First iteration in creating a ...
Filipe Rodrigues's user avatar
Filipe Rodrigues
  • 478
1 vote
0 answers
179 views

Practicality of Direct Anonymous Attestation [closed]

DAA (Direct Anonymous Attestation) is not the only scheme to achieve anonymous attestation. In general, these schemes allow an entity to stay anonymous throughout the attestation process. The concern ...
Consy's user avatar
Consy
  • 111