Collaborate Disseminate
In the same way that I can use a Yubikey or any other FIDO2 hardware key to store resident keys for use with OpenSSH (for example ssh-keygen -t ed25519-sk -O resident -O verify-required) I would like to use my iPhone. I have my iPhone most… Continue reading Can I use an iPhone connected via USB to a computer as a FIDO2 security key (for example in OpenSSH)? [migrated]
I am looking for a solution to implement passwordless authentication using expirable hardware keys. It is for devices around the world with Windows OS, and sometimes service technicians have to do something there, so I want an admin accoun… Continue reading Passwordless authentication using expiring hardware keys
I provide a web application that uses FIDO2 for two-factor authentication. Recently I got reports that Windows users have to enter a PIN each time they use their hardware token. As far as I understand, this is considered a form of user ver… Continue reading FIDO2: should I set user verification to "discouraged" with two-factor authentication?
What attack vectors exist for "bad" FIDO USB keys? What would the weaknesses of a "bad" key be? How could they be compromised?
I have been looking at several "make your own key" projects, and wonder how they… Continue reading FIDO2 security keys – what attack vectors/weaknesses exist for "bad" keys
I was wondering if it’s possible to only store and read a ssh private key on a yubikey and not read the private key the yubikey generated from a client computer?
Currently the only way it seems to work is that I store the private key on cl… Continue reading Reading SSH private key physically stored on yubikey to remote into external PC
I’m starting to learn about the FIDO2 standard, and I’m wondering if this scenario is possible…
Victim visits a credential harvesting page and enters their credentials
Credential harvesting backend opens a connection to the legitimate l… Continue reading Is FIDO2 authentication vulnerable to a social engineering replay attack?
Microsoft, Apple, and Google have committed to expanding passwordless sign-in… Continue reading Microsoft, Google, and Apple to Expand Passwordless Login Across All Major Platforms
We’ve all certainly heard about the widely overhyped BadUSB exploits on the Physon microcontrollers.
There’s certainly a high potential of gaining something by targeting such a specific device, which is designed to only contain secrets.
Ev… Continue reading What security measures does YubiKey take to secure its hardware from malicious firmware tampering? [closed]
I have a Yubikey 5 Series and would like to use it to encrypt a file, so that a physical presence of my Yubikey would be required to decrypt it.
I know you can save a PGP key onto Yubikey and use it for this purpose. However, I am planning… Continue reading Can I use Yubikey to encrypt a file without PGP?
The OpenSSH developers have written in a description of the "agent restrictions" feature that FIDO2 tokens are vulnerable to phishing attacks: https://www.openssh.com/agent-restrict.html
FIDO keys that require user-presence conf… Continue reading Why are FIDO2 protected SSH keys affected by phishing attacks?