Collaborate Disseminate
User verification in WebAuthn can either be required, preferred, or discouraged. The last two are a hint to the authenticator that may be ignored. I see how they could be used to prevent client-side user verification if the server has alre… Continue reading What is the point of required user verification in WebAuthn?
We’re wanting to support out-of-the-box digital currency wallets for user’s of our web app.
We have passkeys / webauthn working and would ideally like to associate these credentials with wallet access.
Wallets should be self custodial with… Continue reading Passkeys WebAuthN PRF extension to encrypt/decrypt private key of non-custodial wallet
I’ve been reading about WebAuthn and try to write some code to exercise.
One thing I noticed is that the spec doesn’t seem to provide any way to verify the correctness of the public-key being create()’d other than through attestation. And … Continue reading WebAuthn does not guarantee public-key integrity other than trough attestation?
Do passkeys offer more security for intranet websites compared to passwords?
I know there are additional methods like 2FA to get more security, but I just want to look at a optional replacement for simple password-based authentication over… Continue reading Passkeys versus passwords for intranet websites
What is the best practice for allowing users to reset a passkey (WebAuthn)?
Should I just have them click a link in their email like it was a password, or is there a more secure way of doing it? In addition, is there best practice way of a… Continue reading What is the proper procedure to allow users to reset their passkey
Where/what are the technical specifications to sync FIDO passkeys?
FIDO passkeys are a quite hot topic. There is a white paper from FIDO Alliance about it. Several websites provide abstract descriptions which leave a lot to be desired in t… Continue reading FIDO Multi-device Authentication Sync Technical Specification
So Apple syncs FIDO Passkeys across a user’s devices using iCloud Keychain.
Can one inspect those Passkeys in ones own iCloud Keychain e.g. with the macOS app Keychain Access? I have tried with version 11.0 on macOS 13.1, but don’t yet see… Continue reading Can one inspect Passkeys on iCloud Keychain [migrated]
Is it possible to inspect data (pubkeys, domain names used for webauthn, not private keys) related to private keys stored in the TPM on Windows?
I legally own the hardware and have maximum permissions on my user account
I have the necessa… Continue reading Is it possible to see the pubkeys that pair with private keys inside the TPM in Windows?
I provide a web application that uses FIDO2 for two-factor authentication. Recently I got reports that Windows users have to enter a PIN each time they use their hardware token. As far as I understand, this is considered a form of user ver… Continue reading FIDO2: should I set user verification to "discouraged" with two-factor authentication?
I have a web application that runs on the client side only (no backend server), and I need a way to encrypt user data on the blockchain. Users who encrypted the data needs to be able to decrypt the data later.
I’m thinking of using the We… Continue reading Security concerns in using passkey (WebAuthn) to encrypt data