Questions tagged [webauthn]
The webauthn tag has no usage guidance.
47
questions
-1
votes
1
answer
42
views
Fido2/Webauthn Passkeys: rsa2048, rsa4096, or Ed25519?
Does anyone know what kind of keys are being generated when you make a Fido2/Webauthn passkey? rsa2048, rsa4096, Ed25519, or something else? Just worried if its rsa2048 it might soon be crackable, at ...
- 179
5
votes
2
answers
2k
views
How is a passkey more secure than the regular email/password with U2F key?
Since I use 1Password to store my passkeys along with emails and passwords, it appears to be that passkeys are not as secure as using the email and password with U2F flow that I currently use on many ...
- 151
0
votes
0
answers
72
views
storing user hashed password into webauthn id
I am building a pure client-side app.
My users have a .kdbx vault stored in localStorage, and they can open it with a password.
In order to add a biometric\quick open feature into the app I thought ...
- 101
0
votes
2
answers
189
views
How does it "allow a malicious website to obtain valid credentials." - WebAuthn
I'm not entirely convinced of the importance of verifying the authenticator attestation, and I've asked a question about it, I'm open to it, and if you want, you can post an answer at that question, ...
- 374
0
votes
1
answer
69
views
Suggestions for implementing a simplified subset of WebAuthn Relaying Party Operation
Previously some good fellow explained the importance of verifying the public key created and offered by authenticators.
As before, given the complexity of a FULL implementation of RP operation, I ...
- 374
1
vote
1
answer
156
views
Is 3DS compatible with secure 2FA technologies? (TOTP, WebAuthn)
Is PSD2's Strong Customer Authentication requirement possible to satisfy with secure 2FA solutions, such as TOTP and WebAuthn?
For the purposes of this question, I'm classifying all systems where an ...
- 1,020
0
votes
0
answers
14
views
Why does FIDO2's spec not mention FIDO UAF as a related standard? [duplicate]
Why does FIDO2's spec not mention FIDO UAF as a related standard? I wonder if FIDO UAF is still relevant. Will FIDO UAF be deprecated eventually in favor of FIDO2? Why do they co-exist if they fulfil ...
- 101
0
votes
0
answers
77
views
Webauthn: Access control for the public key credential uploaded by the user's device
I'm experimenting with adding passkeys to Drupal.
I'm using webauthn-lib 4.7.
When registering a passkey, the device generates a Public Key Credential, which is then sent to the server as stringified ...
- 101
2
votes
0
answers
139
views
Did Android remove Fingerprint/Passcode for WebAuthN and lower security to push Passkeys?
So, before this year, when you were using WebAuthN to create security keys on an up to date Android phone (Pixel 6 in my case), you had these options (iirc):
When creating a platform authenticator, ...
- 178
2
votes
2
answers
2k
views
Are passkeys a secure replacement for 2FA?
Passkeys seems great for me as an individual, instead of passwords and TOTP tokens I can now slowly ditch the passwords and the somewhat annoying (but important!) TOTP tokens which I have locked in my ...
0
votes
2
answers
604
views
What is the point of required user verification in WebAuthn?
User verification in WebAuthn can either be required, preferred, or discouraged. The last two are a hint to the authenticator that may be ignored. I see how they could be used to prevent client-side ...
- 153
0
votes
1
answer
175
views
WebAuthn does not guarantee public-key integrity other than trough attestation?
I've been reading about WebAuthn and try to write some code to exercise.
One thing I noticed is that the spec doesn't seem to provide any way to verify the correctness of the public-key being create()'...
- 374
0
votes
0
answers
125
views
Passkeys versus passwords for intranet websites
Do passkeys offer more security for intranet websites compared to passwords?
I know there are additional methods like 2FA to get more security, but I just want to look at a optional replacement for ...
- 53
2
votes
1
answer
173
views
What is the proper procedure to allow users to reset their passkey
What is the best practice for allowing users to reset a passkey (WebAuthn)?
Should I just have them click a link in their email like it was a password, or is there a more secure way of doing it? In ...
- 31
1
vote
0
answers
181
views
FIDO Multi-device Authentication Sync Technical Specification
Where/what are the technical specifications to sync FIDO passkeys?
FIDO passkeys are a quite hot topic. There is a white paper from FIDO Alliance about it. Several websites provide abstract ...
- 201