Questions tagged [fido2]
FIDO2 (Fast IDentity Online 2) is a technical specification for biometric authentication to online services, based on FIDO Alliance CTAP2 protocol and W3C consortia's WebAuthn standard. FIDO2 is based on previous FIDO Alliance project U2F
10
questions with no upvoted or accepted answers
2
votes
2
answers
146
views
Can Fido2 hardware tokens be used for key agreement or Diffie-Hellman?
With Fido2 becoming more popular we see more and more affordable Fido2 hardware security keys on the market.
Can we use those tokens also for establishing a shared secret between two tokens?
I would ...
2
votes
1
answer
3k
views
Implementing FIDO2 (WebAuthN) in Native iOS
I am currently investigating the idea of implementing FIDO2 (WebAuthN) support in native iOS using Swift. I understand that there is no FIDO2 support in native iOS, and only available through Safari ...
2
votes
0
answers
312
views
"Something you have" on a multi-user device - what is the opinion regarding the NIST AAL3 definition?
The NIST AAL3 specification requires
In order to authenticate at AAL3, claimants SHALL prove possession and
control of two distinct authentication factors through secure
authentication ...
1
vote
0
answers
322
views
Is it possible to see the pubkeys that pair with private keys inside the TPM in Windows?
Is it possible to inspect data (pubkeys, domain names used for webauthn, not private keys) related to private keys stored in the TPM on Windows?
I legally own the hardware and have maximum ...
1
vote
0
answers
1k
views
Reading SSH private key physically stored on yubikey to remote into external PC
I was wondering if it's possible to only store and read a ssh private key on a yubikey and not read the private key the yubikey generated from a client computer?
Currently the only way it seems to ...
1
vote
0
answers
393
views
Avoiding Replay Attacks while Using FIDO2's HMAC Secret to Encrypt Data
FIDO2's HMAC Secret extension generates a symmetric secret that can be used to encrypt and decrypt data. HMAC secret's output is based on
output1: HMAC-SHA-256(CredRandom, salt1)
Where salt1 is from ...
1
vote
0
answers
126
views
WebAuthn Variation with non-connect dongle Authenticator
As I read through the WebAuthn / FIDO2 documentation, it appears the authentication is done on the local device to create an attestation to the FIDO server. This future implies the "biometrics" or ...
0
votes
0
answers
116
views
Passwordless authentication using expiring hardware keys
I am looking for a solution to implement passwordless authentication using expirable hardware keys. It is for devices around the world with Windows OS, and sometimes service technicians have to do ...
0
votes
0
answers
355
views
FIDO2 security keys - what attack vectors/weaknesses exist for "bad" keys
What attack vectors exist for "bad" FIDO USB keys? What would the weaknesses of a "bad" key be? How could they be compromised?
This came to mind as I was looking at "make ...
0
votes
0
answers
115
views
Why I can't duplicate OpenSK key
I am curious about why I can't duplicate the OpenSK key.
I have a few keys that I put the same certificate and private key on them but they are different.
I found it useful to have a duplicate key in ...