Questions tagged [fido2]
FIDO2 (Fast IDentity Online 2) is a technical specification for biometric authentication to online services, based on FIDO Alliance CTAP2 protocol and W3C consortia's WebAuthn standard. FIDO2 is based on previous FIDO Alliance project U2F
29
questions
0
votes
0
answers
15
views
ssh-keygen fido2 keys without password [duplicate]
ssh-keygen -t ed25519-sk -O resident -C "yubikey-fido1
My understanding is that I should be able to generate openssh keys with fido2 without password and require touch-only. While that opens up ...
- 275
1
vote
0
answers
322
views
Is it possible to see the pubkeys that pair with private keys inside the TPM in Windows?
Is it possible to inspect data (pubkeys, domain names used for webauthn, not private keys) related to private keys stored in the TPM on Windows?
I legally own the hardware and have maximum ...
- 435
2
votes
2
answers
146
views
Can Fido2 hardware tokens be used for key agreement or Diffie-Hellman?
With Fido2 becoming more popular we see more and more affordable Fido2 hardware security keys on the market.
Can we use those tokens also for establishing a shared secret between two tokens?
I would ...
0
votes
0
answers
116
views
Passwordless authentication using expiring hardware keys
I am looking for a solution to implement passwordless authentication using expirable hardware keys. It is for devices around the world with Windows OS, and sometimes service technicians have to do ...
- 101
3
votes
2
answers
452
views
FIDO2: should I set user verification to "discouraged" with two-factor authentication?
I provide a web application that uses FIDO2 for two-factor authentication. Recently I got reports that Windows users have to enter a PIN each time they use their hardware token. As far as I understand,...
- 153
0
votes
0
answers
355
views
FIDO2 security keys - what attack vectors/weaknesses exist for "bad" keys
What attack vectors exist for "bad" FIDO USB keys? What would the weaknesses of a "bad" key be? How could they be compromised?
This came to mind as I was looking at "make ...
- 11
1
vote
0
answers
1k
views
Reading SSH private key physically stored on yubikey to remote into external PC
I was wondering if it's possible to only store and read a ssh private key on a yubikey and not read the private key the yubikey generated from a client computer?
Currently the only way it seems to ...
- 193
3
votes
1
answer
814
views
Is FIDO2 authentication vulnerable to a social engineering replay attack?
I'm starting to learn about the FIDO2 standard, and I'm wondering if this scenario is possible...
Victim visits a credential harvesting page and enters their credentials
Credential harvesting backend ...
- 845
3
votes
2
answers
3k
views
Can I use Yubikey to encrypt a file without PGP?
I have a Yubikey 5 Series and would like to use it to encrypt a file, so that a physical presence of my Yubikey would be required to decrypt it.
I know you can save a PGP key onto Yubikey and use it ...
- 39
1
vote
3
answers
2k
views
Why are FIDO2 protected SSH keys affected by phishing attacks?
The OpenSSH developers have written in a description of the "agent restrictions" feature that FIDO2 tokens are vulnerable to phishing attacks: https://www.openssh.com/agent-restrict.html
...
- 111
0
votes
3
answers
1k
views
How could someone's account that is secured by MFA Yubikey be compromised?
Let's say that I purchased a MFA Yubikey device to secure my accounts. If an attacker wanted to compromise my accounts that are secured with this YubiKey, would this be possible without having the ...
- 597
0
votes
1
answer
642
views
Can FIDO2 Authentication be used for native application?
I'm currently working on a project, which has a Web API, which is to be consumed by a native application. For the sake of brevity, assume that the application cannot be re-written to be a Web ...
- 11
0
votes
1
answer
573
views
How exactly does the detection of a cloned FIDO2 credential work?
I am trying to understand the FIDO2 standard. I know that a Relying Party has to implement a mechanism that checks the counter of the respective credentials. Most of the time, a counter is stored in ...
- 3
1
vote
1
answer
396
views
Why isn't U2F's CTAP protocol forwards-compatible with FIDO2's CTAP protocol?
I've been trying to find the major differences between "U2F" versus "FIDO2" two-factor authentication standards. Reading some of the articles posted by different companies and even ...
- 131
1
vote
0
answers
393
views
Avoiding Replay Attacks while Using FIDO2's HMAC Secret to Encrypt Data
FIDO2's HMAC Secret extension generates a symmetric secret that can be used to encrypt and decrypt data. HMAC secret's output is based on
output1: HMAC-SHA-256(CredRandom, salt1)
Where salt1 is from ...
- 111
1
vote
0
answers
1k
views
How to uses FIDO2 hmac-secret extension for offline authentication? [closed]
How hmac-secret extension defined in the CTAP2 Specification is used to help implement offline authentication with an authenticator. Is there any other specification that says how to do this?
From the ...
7
votes
3
answers
7k
views
How to set up two YubiKeys to have the same secret?
A lot of services offer authentication with FIDO2, such as Twitter, but only allow the user to set one "security key". This is problematic in case the key is lost or breaks. The ideal ...
user163495
2
votes
1
answer
3k
views
Implementing FIDO2 (WebAuthN) in Native iOS
I am currently investigating the idea of implementing FIDO2 (WebAuthN) support in native iOS using Swift. I understand that there is no FIDO2 support in native iOS, and only available through Safari ...
- 21
0
votes
0
answers
115
views
Why I can't duplicate OpenSK key
I am curious about why I can't duplicate the OpenSK key.
I have a few keys that I put the same certificate and private key on them but they are different.
I found it useful to have a duplicate key in ...
- 101
1
vote
1
answer
360
views
FIDO2 - Where do Android and IOS platform authenticators store private key credentials?
I'm new to FIDO2 specification.
I'm aware that Android and IOS devices support FIDO2 protocols (even Android phones could act as a physical key for FIDO2 authentication).
However, Could anyone let me ...
1
vote
1
answer
887
views
Can one use a gpg smartcard to implement FIDO2?
From what I understand, the idea of FIDO2 is to use symmetric cryptography, with secret key on the token, and public key on the server. When requesting to connect, the server uses the public key to ...
- 317
2
votes
0
answers
312
views
"Something you have" on a multi-user device - what is the opinion regarding the NIST AAL3 definition?
The NIST AAL3 specification requires
In order to authenticate at AAL3, claimants SHALL prove possession and
control of two distinct authentication factors through secure
authentication ...
- 21
1
vote
0
answers
126
views
WebAuthn Variation with non-connect dongle Authenticator
As I read through the WebAuthn / FIDO2 documentation, it appears the authentication is done on the local device to create an attestation to the FIDO server. This future implies the "biometrics" or ...
- 111
4
votes
2
answers
1k
views
Why does WebAuthn require a challenge when asking the client to register a new credential?
When registering a new credential as part of WebAuthn, why does the client need to be sent a challenge?
Presumably this is to prevent a replay attack, but wouldn't a replay attack be prevented by TLS ...
- 173
6
votes
2
answers
322
views
Does injecting my own key material into the authenticator undermine authenticator's attestation?
I'd like to be able to inject my own key material in the FIDO2 authenticator; at the very least it will remove the need to trust the vendor (because we have no guarantee whether the vendor keeps ...
- 195
18
votes
1
answer
7k
views
FIDO and FIDO2 differences
I've been reading both FIDO and FIDO2 specs for a while tring to understand the similarities and differences between both. Here is how I broke it down so far:
FIDO: First iteration in creating a ...
- 478
1
vote
0
answers
179
views
Practicality of Direct Anonymous Attestation [closed]
DAA (Direct Anonymous Attestation) is not the only scheme to achieve anonymous attestation. In general, these schemes allow an entity to stay anonymous throughout the attestation process. The concern ...
- 111
4
votes
1
answer
411
views
Yubikey - WebAuthn and U2F
I have a yubikey which supports only U2F. It doesn't support FIDO2. I read about U2F and i understand how it works.
When i test my Yubikey for WebAuthn on https://webauthn.io it works. I wanted to ...
- 173
7
votes
1
answer
634
views
Is there any privacy- or security-relevant difference between FIDO2 and SQRL
I just learned about FIDO2 (WebAuthn) and try to make a comparison to the lesser-known novel SQRL authentication scheme.
Both seem to use the same key elements:
a private, user-resident "master key" ...
- 4,103