Collaborate Disseminate
Apple and now Google are releasing products that are built on WebAuthn as a replacement for traditional username + passwords. Why did this technology beat out PAKEs?
Continue reading Why did WebAuthn beat PAKEs as the preferred password replacement?
The Problem:
Use the platform TMP of my Windows Laptop/PC (no external device or USB token) as U2F in a web application to check if it is a known device.
My intended solution:
I need to store/create something (Cetificate, Private/Public K… Continue reading Use platform TPM as U2F for web applications
Regarding Apple’s beta feature of storing WebAuthn passkeys in the iCloud Keychain, does anybody know if the unencrypted passkeys ever leave the secure enclave, and get stored in RAM or anything?
With traditional WebAuthn on a Yubikey or s… Continue reading Do passkeys on iCloud Keychain ever exist unencrypted outside the secure enclave?
Context
I was answering a question about how YubiKey can generate "infinite" keypairs for Fido U2F but doesn’t need to store them locally.
This leads to my initial question:
Initial Question
Can I register with a FIDO U2F service… Continue reading Fido U2F, can a modified client theoretically register the same key multiple times? YubiKey Wrapped PrivateKey Method
Today I read this blog entry by Yubico regarding Asynchronous Remote Key Generation. This proposal solves, in my view, the largest outstanding problem in the widescale adoption of challenge-response hardware authentication keys.
Some backg… Continue reading Status of Asynchronous Remote Key Generation in the developing WebAuthn standard?
Today I read this blog entry by Yubico regarding Asynchronous Remote Key Generation. This proposal solves, in my view, the largest outstanding problem in the widescale adoption of challenge-response hardware authentication keys.
Some backg… Continue reading Status of Asynchronous Remote Key Generation in the developing WebAuthn standard?
I’m designing a web service meant for storing data for users, but these users don’t have proper server-side accounts, just a random master key the user generated and stores on their device (a bip39 mnemonic) so they can derive some public-… Continue reading HTTP authentication with client-side private key
I am trying to understand the FIDO2 standard. I know that a Relying Party has to implement a mechanism that checks the counter of the respective credentials. Most of the time, a counter is stored in the database of the server, which has to… Continue reading How exactly does the detection of a cloned FIDO2 credential work?
Usually, for all types of authentications, we trust the registration process and assume there is no attack is happening Like in the case of FIDO2 registration. However, as the registration process is built within the browser and can be com… Continue reading Does moving webAuthn API from browser to OS improves security of registration process?
I’m assuming instead of saying "forgot password?" the text would say "lost your key?" or "don’t have your device?". But what would the process of secondary access look like in the future when passwords are ..a… Continue reading What is the equivalent of "forgot password" in password-less login applications using FIDO2 / Webauthn or later?