Collaborate Disseminate
Now that OpenSSH supports Elliptic curve security keys (since version 8.2), it’s possible to generate a ed25519-sk key on a hardware security key:
$ ssh-keygen -t ed25519-sk -C comment
This generates a public and a private key parts. How … Continue reading How sensitive is the primary key stub of an ed25519 security key (~/.ssh/id_ed25519_sk)?
I just setted my yubikey on Google so I can login into Google without any passwords. However, I don’t even have to put a PIN on the yubikey, it simply works. I find this very very dangerous as anyone with my yubikey would be able to access… Continue reading Why my yubikey is not protected by a PIN to log into Google?
When you log into a website, it stores cookies that let your browser access the website without having the password.
Given that some sites support yubikey for login, does it mean that the yubikey actively signs requests from my computer, o… Continue reading Can yubikeys prevent cookie stealing?
My google-foo failed me as most "how it works" sections related to fido are very… let’s say… consumer-oriented.
So openssh supports U2F natively when using the appropriate elliptic-curve-based cipher (namely ed25519-sk and th… Continue reading How does ed25519-sk actually works?
Usually, for all types of authentications, we trust the registration process and assume there is no attack is happening Like in the case of FIDO2 registration. However, as the registration process is built within the browser and can be com… Continue reading Does moving webAuthn API from browser to OS improves security of registration process?
I’m assuming instead of saying "forgot password?" the text would say "lost your key?" or "don’t have your device?". But what would the process of secondary access look like in the future when passwords are ..a… Continue reading What is the equivalent of "forgot password" in password-less login applications using FIDO2 / Webauthn or later?
I’m assuming instead of saying "forgot password?" the text would say "lost your key?" or "don’t have your device?". But what would the process of secondary access look like in the future when passwords are ..a… Continue reading What is the equivalent of "forgot password" in password-less login applications using FIDO2 / Webauthn or later?
I’ve been trying to find the major differences between "U2F" versus "FIDO2" two-factor authentication standards. Reading some of the articles posted by different companies and even the FIDO site itself give the impressi… Continue reading Why isn’t U2F’s CTAP protocol forwards-compatible with FIDO2’s CTAP protocol?
I have a Yubikey 5, I can store a PGP key inside, it has OTP abilities, FIDO, NFC, etc… Which is great for a device like this.
First of all, I understand how a smart card is more secured than an app/sms based OTP for instance, but seeing… Continue reading Why would a U2F key be more secured than an OTP device?
Remote work is evolving. Organizations must future-proof their IAM strategies to maintain remote work and ensure that their employees can securely connect to company applications and networks.
The post The Future Impact of Remote Work on IAM appeared f… Continue reading The Future Impact of Remote Work on IAM