Collaborate Disseminate
User verification in WebAuthn can either be required, preferred, or discouraged. The last two are a hint to the authenticator that may be ignored. I see how they could be used to prevent client-side user verification if the server has alre… Continue reading What is the point of required user verification in WebAuthn?
I provide a web application that uses FIDO2 for two-factor authentication. Recently I got reports that Windows users have to enter a PIN each time they use their hardware token. As far as I understand, this is considered a form of user ver… Continue reading FIDO2: should I set user verification to "discouraged" with two-factor authentication?
I recently discovered that my parents’ android phones have not received security updates for years because the phones are out of support. When I talked to them I realized that the benefit of up-to-date software is very abstract to them and… Continue reading Android exploit demos to scare my parents?