Collaborate Disseminate
I’ve read about Linus Tech Tips hack, where a malware stole the browser cookies & was able to log in to Linus’s channel.
Is this preventable with Windows controlled folder access (preventing apps other than Chrome from accessing the co… Continue reading Windows controlled folder access to secure Chrome cookies?
I was wondering if it’s possible to only store and read a ssh private key on a yubikey and not read the private key the yubikey generated from a client computer?
Currently the only way it seems to work is that I store the private key on cl… Continue reading Reading SSH private key physically stored on yubikey to remote into external PC
References:
Yubico’s Take on U2F Key Wrapping
https://www.yubico.com/blog/yubicos-u2f-key-wrapping/
Key generation
https://developers.yubico.com/U2F/Protocol_details/Key_generation.html
Discoverable Credentials / Resident Keys
https://dev… Continue reading Yubikey Private Key Generation & Storage 5 Series vs Bio Key
OpenSSH 8.2 added -sk key types that allow for FIDO/U2F hardware authenticators (like a YubiKey, etc.)
yubikey-agent allows for the same functionality, except it (a) requires an additional client on top of OpenSSH, and (b) is scoped to onl… Continue reading When hardening my SSH key, why would I use yubikey-agent instead of the built-in `-sk` key type native to OpenSSH?
I am enhancing our login flow to include biometric verification via your phone. The user will log in to the desktop app but will have to verify their identity via their phone. We already have an app and want to now accept login verificatio… Continue reading Solutions for out of band biometric login
I’m starting to learn about the FIDO2 standard, and I’m wondering if this scenario is possible…
Victim visits a credential harvesting page and enters their credentials
Credential harvesting backend opens a connection to the legitimate l… Continue reading Is FIDO2 authentication vulnerable to a social engineering replay attack?
We’ve all certainly heard about the widely overhyped BadUSB exploits on the Physon microcontrollers.
There’s certainly a high potential of gaining something by targeting such a specific device, which is designed to only contain secrets.
Ev… Continue reading What security measures does YubiKey take to secure its hardware from malicious firmware tampering? [closed]
I was troubled from the very beginning by the fact that my U2F security fob acts as a keyboard and theoretically is able to press any key when no one is looking. Sometimes I accidentally touch it and then screen goes mad because of all tho… Continue reading Why do some FIDO security fobs use keyboard emulation mode?
Context
I was answering a question about how YubiKey can generate "infinite" keypairs for Fido U2F but doesn’t need to store them locally.
This leads to my initial question:
Initial Question
Can I register with a FIDO U2F service… Continue reading Fido U2F, can a modified client theoretically register the same key multiple times? YubiKey Wrapped PrivateKey Method
I’ve implemented second factor authentication for my web app via FIDO U2F, and am testing using a Yubikey.
I have read that it is best practice to associate multiple hardware keys in case one is lost, but I wanted to know what the security… Continue reading How to best support multiple hardware keys (yubikeys, etc.) as a web app?