Collaborate Disseminate
I have been thinking about backing up passkeys, I asked a previous question about backing up individual private keys. This procedure requires one to create the backup after creating the account.
There are some analogies between the algori… Continue reading Would a passkey client that had a seed for backup break the specification?
Every WebAuthn implementation I’ve seen stores the session data server side, but that just seems pointless to me, since what seems to be essentially all the same data is already sent to the client in the options.
(For clarification what I’… Continue reading Is there a reason to not send signed FIDO2/WebAuthn session data to the client rather than storing it server side?
In exploring the use of passkeys I have used KeePassXC. I followed their instructions to create a paper backup and did not get any private data about the passkey. There is available an entry called KPEX_PASSKEY_PRIVATE_KEY_PEM (as well a… Continue reading Is there a good way to keep a paper backup of a passkey?
There is a topic I have been going back and forth with for some time. Here is the premise:
we need to create a mobile app for a highly regulated industry
the app should leverage oAuth2 for obtaining fine-grained tokens for authorizing tra… Continue reading Integrating Biometrics with Auth Code Flow (w/ PKCE) on mobile
The Register has an article on Passkeys, and one of the issues they use to argue that they are unlikely to be widely adopted is:
The process is bootstrapped by getting the user to authenticate using a traditional approach (such as usernam… Continue reading Does a Passkey authentication system need bootstrapping by username and password?
In previous question I asked about simple login systems, and WebAuthn was the answer. From a brief read of the web pages I THINK it is possible to create a standalone GPL implementation of Passkeys that can be freely backed up/duplicated … Continue reading What is the easiest way to have a standalone implementation of Passkeys on generic hardware with backup?
Currently I am working on implementing/supporting WebAuthN in my service (JAVA). I have a Control Plane which handles the registration ceremony and Data Plane that handles the authentication ceremony. I am using WebAuthN4J. The persistent … Continue reading Is clientDataJson and attestationObject required to verify assertion during authentication in WebAuthN?
Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice.
The authentication mechanisms
My idea is to encourage the users to use the following two login methods:
WebAuthn with a FIDO2 token (ideally… Continue reading Best Practices for WebAuthn FIDO2 reset
I want to implement passkey support as a full replacement for passwords but I have some server-side state that still needs to be encrypted to a specific user in a way that can not be decrypted or reproduced on the server side without a use… Continue reading Storing a server secret in a user passkey rawId
I want to implement passkey support as a full replacement for passwords but I have some server-side state that still needs to be encrypted to a specific user in a way that can not be decrypted or reproduced on the server side without a use… Continue reading Storing a server secret in a user passkey user id