Collaborate Disseminate
Previously some good fellow explained the importance of verifying the public key created and offered by authenticators.
As before, given the complexity of a FULL implementation of RP operation, I believe it’s possible that some aspect may … Continue reading Suggestions for implementing a simplified subset of WebAuthn Relaying Party Operation
Through reading the WebAuthn spec and related MDN docs, I understand that unlike "certificate signing requests", FIDO/Passkey can have various different attestation formats and verification methods/algorithms during public-key cr… Continue reading Will sky fall if I don’t verify `AuthenticatorAttestationResponse`?
In this question: Is FIDO2 authentication vulnerable to a social engineering replay attack?
it was answered that no, not vulnerable because "the keypair used to by the FIDO device to authenticate with the credential harvesting site w… Continue reading Is FIDO authN vulnerable to relay attacks?
Why does FIDO2’s spec not mention FIDO UAF as a related standard? I wonder if FIDO UAF is still relevant. Will FIDO UAF be deprecated eventually in favor of FIDO2? Why do they co-exist if they fulfil the same purpose?
What I already know:
… Continue reading Why does FIDO2’s spec not mention FIDO UAF as a related standard? [duplicate]
Where/what are the technical specifications to sync FIDO passkeys?
FIDO passkeys are a quite hot topic. There is a white paper from FIDO Alliance about it. Several websites provide abstract descriptions which leave a lot to be desired in t… Continue reading FIDO Multi-device Authentication Sync Technical Specification
The FIDO Alliance’s Andrew Shikiar explains how passkeys are quickly replacing passwords as the next-generation login, a low friction, high security protocol for any device.
The post How FIDO2 Powers Up Passkeys Across Devices appeared first on TechRep… Continue reading How FIDO2 Powers Up Passkeys Across Devices
Google, Apple, Microsoft and other tech giants, as well as the FIDO Alliance, password managers and identity management vendors are all moving to passkeys, thanks to FIDO2.
The post RIP World Password Day appeared first on TechRepublic.
Continue reading RIP World Password Day
I’ve read about Linus Tech Tips hack, where a malware stole the browser cookies & was able to log in to Linus’s channel.
Is this preventable with Windows controlled folder access (preventing apps other than Chrome from accessing the co… Continue reading Windows controlled folder access to secure Chrome cookies?
I was wondering if it’s possible to only store and read a ssh private key on a yubikey and not read the private key the yubikey generated from a client computer?
Currently the only way it seems to work is that I store the private key on cl… Continue reading Reading SSH private key physically stored on yubikey to remote into external PC
References:
Yubico’s Take on U2F Key Wrapping
https://www.yubico.com/blog/yubicos-u2f-key-wrapping/
Key generation
https://developers.yubico.com/U2F/Protocol_details/Key_generation.html
Discoverable Credentials / Resident Keys
https://dev… Continue reading Yubikey Private Key Generation & Storage 5 Series vs Bio Key