How does the attestation mechanism of U2F guarantee the provenance of the key material?

I’m trying to understand Yubico’s documentation of the U2F standard, and getting hung up on the PIV attestation piece.

The security claim appears to be that the authoritatively-signed attestation certificate sent by the device upon regist… Continue reading How does the attestation mechanism of U2F guarantee the provenance of the key material?

Does injecting my own key material into the authenticator undermine authenticator’s attestation?

I’d like to be able to inject my own key material in the FIDO2 authenticator; at the very least it will remove the need to trust the vendor (because we have no guarantee whether the vendor keeps copies of the keys to themselv… Continue reading Does injecting my own key material into the authenticator undermine authenticator’s attestation?

FIDO2: The Dream Of Password-Free Authentication On The WWW

Of all the things which are annoying about the modern World Wide Web, the need to create and remember countless passwords is on the top of most people’s lists. From dozens of passwords for everything from social media sites to shopping, company, and productivity-related platforms like Github, a large part …read more

Continue reading FIDO2: The Dream Of Password-Free Authentication On The WWW