Skip to main content
Information Security

All Questions

Ask Question
Tagged with
8 questions
Newest Active Bountied Unanswered
1 vote
0 answers
322 views

Is it possible to see the pubkeys that pair with private keys inside the TPM in Windows?

Is it possible to inspect data (pubkeys, domain names used for webauthn, not private keys) related to private keys stored in the TPM on Windows? I legally own the hardware and have maximum ...
mikemaccana's user avatar
mikemaccana
  • 435
3 votes
2 answers
452 views

FIDO2: should I set user verification to "discouraged" with two-factor authentication?

I provide a web application that uses FIDO2 for two-factor authentication. Recently I got reports that Windows users have to enter a PIN each time they use their hardware token. As far as I understand,...
tobib's user avatar
tobib
  • 153
0 votes
1 answer
573 views

How exactly does the detection of a cloned FIDO2 credential work?

I am trying to understand the FIDO2 standard. I know that a Relying Party has to implement a mechanism that checks the counter of the respective credentials. Most of the time, a counter is stored in ...
Konsi's user avatar
Konsi
  • 3
2 votes
1 answer
3k views

Implementing FIDO2 (WebAuthN) in Native iOS

I am currently investigating the idea of implementing FIDO2 (WebAuthN) support in native iOS using Swift. I understand that there is no FIDO2 support in native iOS, and only available through Safari ...
Go James 's user avatar
Go James
  • 21
1 vote
0 answers
126 views

WebAuthn Variation with non-connect dongle Authenticator

As I read through the WebAuthn / FIDO2 documentation, it appears the authentication is done on the local device to create an attestation to the FIDO server. This future implies the "biometrics" or ...
mazecreator's user avatar
mazecreator
  • 111
4 votes
2 answers
1k views

Why does WebAuthn require a challenge when asking the client to register a new credential?

When registering a new credential as part of WebAuthn, why does the client need to be sent a challenge? Presumably this is to prevent a replay attack, but wouldn't a replay attack be prevented by TLS ...
johnnyodonnell's user avatar
johnnyodonnell
  • 173
18 votes
1 answer
7k views

FIDO and FIDO2 differences

I've been reading both FIDO and FIDO2 specs for a while tring to understand the similarities and differences between both. Here is how I broke it down so far: FIDO: First iteration in creating a ...
Filipe Rodrigues's user avatar
Filipe Rodrigues
  • 478
4 votes
1 answer
411 views

Yubikey - WebAuthn and U2F

I have a yubikey which supports only U2F. It doesn't support FIDO2. I read about U2F and i understand how it works. When i test my Yubikey for WebAuthn on https://webauthn.io it works. I wanted to ...
Jack's user avatar
Jack
  • 173