webauthn – WindowsTechs.com

Integrating Biometrics with Auth Code Flow (w/ PKCE) on mobile

Posted on November 27, 2024 by user336510

There is a topic I have been going back and forth with for some time. Here is the premise:

we need to create a mobile app for a highly regulated industry
the app should leverage oAuth2 for obtaining fine-grained tokens for authorizing tra… Continue reading Integrating Biometrics with Auth Code Flow (w/ PKCE) on mobile→

Does a Passkey authentication system need bootstrapping by username and password?

Posted on November 22, 2024 by User65535

The Register has an article on Passkeys, and one of the issues they use to argue that they are unlikely to be widely adopted is:

The process is bootstrapped by getting the user to authenticate using a traditional approach (such as usernam… Continue reading Does a Passkey authentication system need bootstrapping by username and password?→

What is the easiest way to have a standalone implementation of Passkeys on generic hardware with backup?

Posted on November 21, 2024 by User65535

In previous question I asked about simple login systems, and WebAuthn was the answer. From a brief read of the web pages I THINK it is possible to create a standalone GPL implementation of Passkeys that can be freely backed up/duplicated … Continue reading What is the easiest way to have a standalone implementation of Passkeys on generic hardware with backup?→

Is clientDataJson and attestationObject required to verify assertion during authentication in WebAuthN?

Posted on November 8, 2024 by John Doe

Currently I am working on implementing/supporting WebAuthN in my service (JAVA). I have a Control Plane which handles the registration ceremony and Data Plane that handles the authentication ceremony. I am using WebAuthN4J. The persistent … Continue reading Is clientDataJson and attestationObject required to verify assertion during authentication in WebAuthN?→

Best Practices for WebAuthn FIDO2 reset

Posted on November 4, 2024 by wahok

Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice.
The authentication mechanisms
My idea is to encourage the users to use the following two login methods:

WebAuthn with a FIDO2 token (ideally… Continue reading Best Practices for WebAuthn FIDO2 reset→

Storing a server secret in a user passkey user id

Posted on September 20, 2024 by mcrute

I want to implement passkey support as a full replacement for passwords but I have some server-side state that still needs to be encrypted to a specific user in a way that can not be decrypted or reproduced on the server side without a use… Continue reading Storing a server secret in a user passkey user id→

Storing a server secret in a user passkey rawId

Posted on September 20, 2024 by mcrute

Fido2/Webauthn Passkeys: rsa2048, rsa4096, or Ed25519?

Posted on June 14, 2024 by Mohamed Hafez

Does anyone know what kind of keys are being generated when you make a Fido2/Webauthn passkey? rsa2048, rsa4096, Ed25519, or something else? Just worried if its rsa2048 it might soon be crackable, at least by state actors.

Continue reading Fido2/Webauthn Passkeys: rsa2048, rsa4096, or Ed25519?→

How is a passkey more secure than the regular email/password with U2F key?

Posted on June 13, 2024 by Eduardo Bautista

Since I use 1Password to store my passkeys along with emails and passwords, it appears to be that passkeys are not as secure as using the email and password with U2F flow that I currently use on many websites/apps.
I am starting to think t… Continue reading How is a passkey more secure than the regular email/password with U2F key?→

storing user hashed password into webauthn id

Posted on March 1, 2024 by Wazime

I am building a pure client-side app.
My users have a .kdbx vault stored in localStorage, and they can open it with a password.
In order to add a biometric\quick open feature into the app I thought about creating a Webauthn entry and stori… Continue reading storing user hashed password into webauthn id→