Collaborate Disseminate
Does webauthn provide any authentication of the server end?
Or asked differently, is there any defense against a man-in-the-middle attack that pretends to be site X, performs what looks like a webauthn login to that site, always grants acc… Continue reading Does webauthn support mutual authentication?
GitHub is pushing 2FA and offer mostly unreasonable choices; however there is webauthn and Firefox has a software version of it; so a proper security mode can be built.
But in order to do this I need to know where the token is stored so I … Continue reading Where does Firefox webauthn softtoken save its key?
I’m in the process of evaluating adding WebAuthn/Passkey support to a website, and I’m not really sure how to properly manage challenge nonces.
My understanding is that the main reason for using challenge nonces is to prevent replay attack… Continue reading How to properly manage WebAuthn challenges?
I’ve read questions targeting the usage of basic authentication over HTTPS. Since the connection is already secure, except e.g. a compromised certificate, communication should be rather safe.
But I work in a research project where HTTPS mi… Continue reading Using asymmetric encryption as authentication over HTTP?
For quite some time WebKit and others support WebAuthn. This allows for a pretty seamless 2FA experience with a key, like Yubico. On Apple devices TouchID/FaceID can also be used as a hardware key.
This creates an interesting workflow:
Us… Continue reading Does using TouchID and WebAuthn with a password manager defeat the 2FA?
The demos I’ve seen for Passkey assume that any public user can register with a website. What about the situation where you want to set up a passkey for an admin user of a website? i.e. How does an admin create a new Passkey on their devic… Continue reading Set-up Apple Passkey for private users
Apple and now Google are releasing products that are built on WebAuthn as a replacement for traditional username + passwords. Why did this technology beat out PAKEs?
Continue reading Why did WebAuthn beat PAKEs as the preferred password replacement?
The Problem:
Use the platform TMP of my Windows Laptop/PC (no external device or USB token) as U2F in a web application to check if it is a known device.
My intended solution:
I need to store/create something (Cetificate, Private/Public K… Continue reading Use platform TPM as U2F for web applications
Regarding Apple’s beta feature of storing WebAuthn passkeys in the iCloud Keychain, does anybody know if the unencrypted passkeys ever leave the secure enclave, and get stored in RAM or anything?
With traditional WebAuthn on a Yubikey or s… Continue reading Do passkeys on iCloud Keychain ever exist unencrypted outside the secure enclave?
Context
I was answering a question about how YubiKey can generate "infinite" keypairs for Fido U2F but doesn’t need to store them locally.
This leads to my initial question:
Initial Question
Can I register with a FIDO U2F service… Continue reading Fido U2F, can a modified client theoretically register the same key multiple times? YubiKey Wrapped PrivateKey Method