0

Is it already possible to buy a USB-pendrive-style authentication key that is compatible with WebAuthN?

If yes, what technical standard/specification should it support?

According to press releases such as this, it is already possible, but I would like to know whether this is Yubico trying to be first on the market and releasing something that may not be compatible, or if a key such as the one referenced in the press release is compatible because it implements the FIDO2 standard.

Improve this question
4
  • This question has nothing to do with Yubikey.
    – Ramhound
    Commented Apr 25, 2018 at 14:34
  • WebAuthN has not been formally implemented in any browser at this time.
    – Ramhound
    Commented Apr 25, 2018 at 14:36
  • I've added some more information - hopefully this makes my question clearer.
    – Rich
    Commented Apr 25, 2018 at 15:00
  • 1
    FIDO2 != WebAuthN
    – Ramhound
    Commented Apr 25, 2018 at 15:33

2 Answers 2

Reset to default
4

As far as I can understand, based on Adam Langley's blog post, there are two distinct layers:

  1. The protocol (API) used by websites to access a token through the browser. Currently websites use the "FIDO U2F JavaScript API", and it is this API which WebAuthn replaces.

  2. The protocol used by browsers (and other local software) to talk to the token itself. Currently FIDO U2F keys use the CTAPv1 protocol ("Client To Authenticator Protocol"), but new devices will be using CTAPv2. When Yubico talk about "FIDO2", they mean this protocol.

Although the upgrades are related to each other (CTAPv2 adds new features which WebAuthn will use), the layers are still mostly independent, and protocols mostly backwards-compatible. That is:

  • Compared with CTAPv1, the main upgrade in CTAPv2 is that devices will have more storage to make them usable as main auth factor (and possibly other features).

    However, existing U2F parts seem to remain the same as in CTAPv1 (more or less, the token just needs to do digital signatures).

  • Compared with FIDO U2F API, the most important change in WebAuthn is in how it generates identifiers ("AppID") for the "relying party", i.e. the website.

    However, tokens don't care about the internal structure of the identifier (it only needs to match), and WebAuthn even has provisions to allow the usage of existing FIDO U2F registrations. (New registrations done via WebAuthn won't work with FIDO U2F though.)

Therefore, if all you need is 2nd factor (U2F), it seems that all existing token models will still work with WebAuthn.

Improve this answer
1

FIDO2 is an open authentication standard that consists of the W3C Web Authentication specification (WebAuthn), and the Client to Authentication Protocol (CTAP). CTAP is an application layer protocol used for communication between a client (browser) or a platform (operating system) with an external authenticator (Security Key by Yubico). WebAuthn is an API enabling a client or platform to create and use public-key based credentials with a Relying Party. Yubico is a core contributor to the CTAP protocol, and the specification is hosted by the FIDO Alliance.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .