Collaborate Disseminate
Today I read this blog entry by Yubico regarding Asynchronous Remote Key Generation. This proposal solves, in my view, the largest outstanding problem in the widescale adoption of challenge-response hardware authentication keys.
Some backg… Continue reading Status of Asynchronous Remote Key Generation in the developing WebAuthn standard?
Today I read this blog entry by Yubico regarding Asynchronous Remote Key Generation. This proposal solves, in my view, the largest outstanding problem in the widescale adoption of challenge-response hardware authentication keys.
Some backg… Continue reading Status of Asynchronous Remote Key Generation in the developing WebAuthn standard?
I’m designing a web service meant for storing data for users, but these users don’t have proper server-side accounts, just a random master key the user generated and stores on their device (a bip39 mnemonic) so they can derive some public-… Continue reading HTTP authentication with client-side private key
I am trying to understand the FIDO2 standard. I know that a Relying Party has to implement a mechanism that checks the counter of the respective credentials. Most of the time, a counter is stored in the database of the server, which has to… Continue reading How exactly does the detection of a cloned FIDO2 credential work?
Usually, for all types of authentications, we trust the registration process and assume there is no attack is happening Like in the case of FIDO2 registration. However, as the registration process is built within the browser and can be com… Continue reading Does moving webAuthn API from browser to OS improves security of registration process?
I’m assuming instead of saying "forgot password?" the text would say "lost your key?" or "don’t have your device?". But what would the process of secondary access look like in the future when passwords are ..a… Continue reading What is the equivalent of "forgot password" in password-less login applications using FIDO2 / Webauthn or later?
I’m assuming instead of saying "forgot password?" the text would say "lost your key?" or "don’t have your device?". But what would the process of secondary access look like in the future when passwords are ..a… Continue reading What is the equivalent of "forgot password" in password-less login applications using FIDO2 / Webauthn or later?
In theory, authenticating with a public key should be much simpler than with a password. There is nothing to remember for the end-user, and registration can be done just by clicking a button. For all intents and purposes, this should be mu… Continue reading Why is Webauthn not used as primary authentication method?
I would like to determine which combination of 2FA methods are the most secure, in the context of securing my website’s users. A standard website built with php/mysql/apache or nginx.
This also takes into account the usability and convenie… Continue reading Which 2FA combinations are the most secure going forward (for website authentication)? [closed]
I am currently investigating the idea of implementing FIDO2 (WebAuthN) support in native iOS using Swift. I understand that there is no FIDO2 support in native iOS, and only available through Safari native app, but Safari is not an option … Continue reading Implementing FIDO2 (WebAuthN) in Native iOS