Collaborate Disseminate
In this question: Is FIDO2 authentication vulnerable to a social engineering replay attack?
it was answered that no, not vulnerable because "the keypair used to by the FIDO device to authenticate with the credential harvesting site w… Continue reading Is FIDO authN vulnerable to relay attacks?
Where/what are the technical specifications to sync FIDO passkeys?
FIDO passkeys are a quite hot topic. There is a white paper from FIDO Alliance about it. Several websites provide abstract descriptions which leave a lot to be desired in t… Continue reading FIDO Multi-device Authentication Sync Technical Specification
I’ve read about Linus Tech Tips hack, where a malware stole the browser cookies & was able to log in to Linus’s channel.
Is this preventable with Windows controlled folder access (preventing apps other than Chrome from accessing the co… Continue reading Windows controlled folder access to secure Chrome cookies?
References:
Yubico’s Take on U2F Key Wrapping
https://www.yubico.com/blog/yubicos-u2f-key-wrapping/
Key generation
https://developers.yubico.com/U2F/Protocol_details/Key_generation.html
Discoverable Credentials / Resident Keys
https://dev… Continue reading Yubikey Private Key Generation & Storage 5 Series vs Bio Key
OpenSSH 8.2 added -sk key types that allow for FIDO/U2F hardware authenticators (like a YubiKey, etc.)
yubikey-agent allows for the same functionality, except it (a) requires an additional client on top of OpenSSH, and (b) is scoped to onl… Continue reading When hardening my SSH key, why would I use yubikey-agent instead of the built-in `-sk` key type native to OpenSSH?
If I have a YubiKey/other hardware key, then I can add that as a U2F device and restrict logins to require that hardware key to be present when logging in to web sites with my username and password.
However, if I add "This Device"… Continue reading Chrome U2F Authentication TouchID vs YubiKey/Hardware token
The Problem:
Use the platform TMP of my Windows Laptop/PC (no external device or USB token) as U2F in a web application to check if it is a known device.
My intended solution:
I need to store/create something (Cetificate, Private/Public K… Continue reading Use platform TPM as U2F for web applications
[Samuel]’s first foray into making DIY hardware authentication tokens was a great success, but he soon realized that a device intended for everyday carry and use has a few different …read more Continue reading TurtleAuth DIY Security Token Gets (Re)designed for Durable, Everyday Use
I was troubled from the very beginning by the fact that my U2F security fob acts as a keyboard and theoretically is able to press any key when no one is looking. Sometimes I accidentally touch it and then screen goes mad because of all tho… Continue reading Why do some FIDO security fobs use keyboard emulation mode?
Context
I was answering a question about how YubiKey can generate "infinite" keypairs for Fido U2F but doesn’t need to store them locally.
This leads to my initial question:
Initial Question
Can I register with a FIDO U2F service… Continue reading Fido U2F, can a modified client theoretically register the same key multiple times? YubiKey Wrapped PrivateKey Method