Questions tagged [fido2]
FIDO2 (Fast IDentity Online 2) is a technical specification for biometric authentication to online services, based on FIDO Alliance CTAP2 protocol and W3C consortia's WebAuthn standard. FIDO2 is based on previous FIDO Alliance project U2F
29
questions
1
vote
0
answers
1k
views
How to uses FIDO2 hmac-secret extension for offline authentication? [closed]
How hmac-secret extension defined in the CTAP2 Specification is used to help implement offline authentication with an authenticator. Is there any other specification that says how to do this?
From the ...
7
votes
3
answers
7k
views
How to set up two YubiKeys to have the same secret?
A lot of services offer authentication with FIDO2, such as Twitter, but only allow the user to set one "security key". This is problematic in case the key is lost or breaks. The ideal ...
2
votes
1
answer
3k
views
Implementing FIDO2 (WebAuthN) in Native iOS
I am currently investigating the idea of implementing FIDO2 (WebAuthN) support in native iOS using Swift. I understand that there is no FIDO2 support in native iOS, and only available through Safari ...
0
votes
0
answers
115
views
Why I can't duplicate OpenSK key
I am curious about why I can't duplicate the OpenSK key.
I have a few keys that I put the same certificate and private key on them but they are different.
I found it useful to have a duplicate key in ...
1
vote
1
answer
360
views
FIDO2 - Where do Android and IOS platform authenticators store private key credentials?
I'm new to FIDO2 specification.
I'm aware that Android and IOS devices support FIDO2 protocols (even Android phones could act as a physical key for FIDO2 authentication).
However, Could anyone let me ...
1
vote
1
answer
887
views
Can one use a gpg smartcard to implement FIDO2?
From what I understand, the idea of FIDO2 is to use symmetric cryptography, with secret key on the token, and public key on the server. When requesting to connect, the server uses the public key to ...
2
votes
0
answers
312
views
"Something you have" on a multi-user device - what is the opinion regarding the NIST AAL3 definition?
The NIST AAL3 specification requires
In order to authenticate at AAL3, claimants SHALL prove possession and
control of two distinct authentication factors through secure
authentication ...
1
vote
0
answers
126
views
WebAuthn Variation with non-connect dongle Authenticator
As I read through the WebAuthn / FIDO2 documentation, it appears the authentication is done on the local device to create an attestation to the FIDO server. This future implies the "biometrics" or ...
4
votes
2
answers
1k
views
Why does WebAuthn require a challenge when asking the client to register a new credential?
When registering a new credential as part of WebAuthn, why does the client need to be sent a challenge?
Presumably this is to prevent a replay attack, but wouldn't a replay attack be prevented by TLS ...
6
votes
2
answers
322
views
Does injecting my own key material into the authenticator undermine authenticator's attestation?
I'd like to be able to inject my own key material in the FIDO2 authenticator; at the very least it will remove the need to trust the vendor (because we have no guarantee whether the vendor keeps ...
18
votes
1
answer
7k
views
FIDO and FIDO2 differences
I've been reading both FIDO and FIDO2 specs for a while tring to understand the similarities and differences between both. Here is how I broke it down so far:
FIDO: First iteration in creating a ...
1
vote
0
answers
179
views
Practicality of Direct Anonymous Attestation [closed]
DAA (Direct Anonymous Attestation) is not the only scheme to achieve anonymous attestation. In general, these schemes allow an entity to stay anonymous throughout the attestation process. The concern ...
4
votes
1
answer
411
views
Yubikey - WebAuthn and U2F
I have a yubikey which supports only U2F. It doesn't support FIDO2. I read about U2F and i understand how it works.
When i test my Yubikey for WebAuthn on https://webauthn.io it works. I wanted to ...
7
votes
1
answer
634
views
Is there any privacy- or security-relevant difference between FIDO2 and SQRL
I just learned about FIDO2 (WebAuthn) and try to make a comparison to the lesser-known novel SQRL authentication scheme.
Both seem to use the same key elements:
a private, user-resident "master key" ...