Collaborate Disseminate
Currently I am working on implementing/supporting WebAuthN in my service (JAVA). I have a Control Plane which handles the registration ceremony and Data Plane that handles the authentication ceremony. I am using WebAuthN4J. The persistent … Continue reading Is clientDataJson and attestationObject required to verify assertion during authentication in WebAuthN?
Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice.
The authentication mechanisms
My idea is to encourage the users to use the following two login methods:
WebAuthn with a FIDO2 token (ideally… Continue reading Best Practices for WebAuthn FIDO2 reset
I want to implement passkey support as a full replacement for passwords but I have some server-side state that still needs to be encrypted to a specific user in a way that can not be decrypted or reproduced on the server side without a use… Continue reading Storing a server secret in a user passkey rawId
I want to implement passkey support as a full replacement for passwords but I have some server-side state that still needs to be encrypted to a specific user in a way that can not be decrypted or reproduced on the server side without a use… Continue reading Storing a server secret in a user passkey user id
Does anyone know what kind of keys are being generated when you make a Fido2/Webauthn passkey? rsa2048, rsa4096, Ed25519, or something else? Just worried if its rsa2048 it might soon be crackable, at least by state actors.
Continue reading Fido2/Webauthn Passkeys: rsa2048, rsa4096, or Ed25519?
Since I use 1Password to store my passkeys along with emails and passwords, it appears to be that passkeys are not as secure as using the email and password with U2F flow that I currently use on many websites/apps.
I am starting to think t… Continue reading How is a passkey more secure than the regular email/password with U2F key?
I am building a pure client-side app.
My users have a .kdbx vault stored in localStorage, and they can open it with a password.
In order to add a biometric\quick open feature into the app I thought about creating a Webauthn entry and stori… Continue reading storing user hashed password into webauthn id
I’m not entirely convinced of the importance of verifying the authenticator attestation, and I’ve asked a question about it, I’m open to it, and if you want, you can post an answer at that question, but this one is specifically about "… Continue reading How does it "allow a malicious website to obtain valid credentials." – WebAuthn
Previously some good fellow explained the importance of verifying the public key created and offered by authenticators.
As before, given the complexity of a FULL implementation of RP operation, I believe it’s possible that some aspect may … Continue reading Suggestions for implementing a simplified subset of WebAuthn Relaying Party Operation
The description for the FineTech FPS00200 USB fingerprint sensor mentions that it does support Windows Hello specifically, but it does not mention FIDO2 more generally. But then FWIK Windows Hello implements FIDO2 (WebAuthn) and more.
So c… Continue reading Can a USB fingerprint sensor support Windows Hello but not FIDO2