Questions tagged [fido2]
FIDO2 (Fast IDentity Online 2) is a technical specification for biometric authentication to online services, based on FIDO Alliance CTAP2 protocol and W3C consortia's WebAuthn standard. FIDO2 is based on previous FIDO Alliance project U2F
29
questions
18
votes
1
answer
7k
views
FIDO and FIDO2 differences
I've been reading both FIDO and FIDO2 specs for a while tring to understand the similarities and differences between both. Here is how I broke it down so far:
FIDO: First iteration in creating a ...
- 478
7
votes
3
answers
7k
views
How to set up two YubiKeys to have the same secret?
A lot of services offer authentication with FIDO2, such as Twitter, but only allow the user to set one "security key". This is problematic in case the key is lost or breaks. The ideal ...
user163495
7
votes
1
answer
634
views
Is there any privacy- or security-relevant difference between FIDO2 and SQRL
I just learned about FIDO2 (WebAuthn) and try to make a comparison to the lesser-known novel SQRL authentication scheme.
Both seem to use the same key elements:
a private, user-resident "master key" ...
- 4,103
6
votes
2
answers
322
views
Does injecting my own key material into the authenticator undermine authenticator's attestation?
I'd like to be able to inject my own key material in the FIDO2 authenticator; at the very least it will remove the need to trust the vendor (because we have no guarantee whether the vendor keeps ...
- 195
4
votes
2
answers
1k
views
Why does WebAuthn require a challenge when asking the client to register a new credential?
When registering a new credential as part of WebAuthn, why does the client need to be sent a challenge?
Presumably this is to prevent a replay attack, but wouldn't a replay attack be prevented by TLS ...
- 173
4
votes
1
answer
411
views
Yubikey - WebAuthn and U2F
I have a yubikey which supports only U2F. It doesn't support FIDO2. I read about U2F and i understand how it works.
When i test my Yubikey for WebAuthn on https://webauthn.io it works. I wanted to ...
- 173
3
votes
1
answer
814
views
Is FIDO2 authentication vulnerable to a social engineering replay attack?
I'm starting to learn about the FIDO2 standard, and I'm wondering if this scenario is possible...
Victim visits a credential harvesting page and enters their credentials
Credential harvesting backend ...
- 845
3
votes
2
answers
3k
views
Can I use Yubikey to encrypt a file without PGP?
I have a Yubikey 5 Series and would like to use it to encrypt a file, so that a physical presence of my Yubikey would be required to decrypt it.
I know you can save a PGP key onto Yubikey and use it ...
- 39
3
votes
2
answers
452
views
FIDO2: should I set user verification to "discouraged" with two-factor authentication?
I provide a web application that uses FIDO2 for two-factor authentication. Recently I got reports that Windows users have to enter a PIN each time they use their hardware token. As far as I understand,...
- 153
2
votes
2
answers
146
views
Can Fido2 hardware tokens be used for key agreement or Diffie-Hellman?
With Fido2 becoming more popular we see more and more affordable Fido2 hardware security keys on the market.
Can we use those tokens also for establishing a shared secret between two tokens?
I would ...
2
votes
1
answer
3k
views
Implementing FIDO2 (WebAuthN) in Native iOS
I am currently investigating the idea of implementing FIDO2 (WebAuthN) support in native iOS using Swift. I understand that there is no FIDO2 support in native iOS, and only available through Safari ...
- 21
2
votes
0
answers
312
views
"Something you have" on a multi-user device - what is the opinion regarding the NIST AAL3 definition?
The NIST AAL3 specification requires
In order to authenticate at AAL3, claimants SHALL prove possession and
control of two distinct authentication factors through secure
authentication ...
- 21
1
vote
3
answers
2k
views
Why are FIDO2 protected SSH keys affected by phishing attacks?
The OpenSSH developers have written in a description of the "agent restrictions" feature that FIDO2 tokens are vulnerable to phishing attacks: https://www.openssh.com/agent-restrict.html
...
- 111
1
vote
1
answer
887
views
Can one use a gpg smartcard to implement FIDO2?
From what I understand, the idea of FIDO2 is to use symmetric cryptography, with secret key on the token, and public key on the server. When requesting to connect, the server uses the public key to ...
- 317
1
vote
1
answer
396
views
Why isn't U2F's CTAP protocol forwards-compatible with FIDO2's CTAP protocol?
I've been trying to find the major differences between "U2F" versus "FIDO2" two-factor authentication standards. Reading some of the articles posted by different companies and even ...
- 131