Collaborate Disseminate
When registering a new credential as part of WebAuthn, why does the client need to be sent a challenge?
Presumably this is to prevent a replay attack, but wouldn’t a replay attack be prevented by TLS already?
I’ve been reading both FIDO and FIDO2 specs for a while tring to understand the similarities and differences between both. Here is how I broke it down so far:
FIDO: First iteration in creating a cross industry standard for passwordless … Continue reading FIDO and FIDO2 differences
Some types of 2FA security can no longer be guaranteed to keep the bad guys out, the FBI warned US companies. Continue reading Hackers bypassing some types of 2FA security FBI warns
My ideal bank would offer online banking from a browser with user/pwd and WebAuthn, for example with a NFC or USB key. No OTP or SMS or apps on the smartphone or physical devices required. (It goes without saying, no recovery… Continue reading Why don’t online banks use WebAuthn? [on hold]
Is there a way to emulate Webauthn so that we’ll be able to a automated testing on our FIDO2 server?
I have a yubikey which supports only U2F. It doesn’t support FIDO2. I read about U2F and i understand how it works.
When i test my Yubikey for WebAuthn on https://webauthn.io it works. I wanted to know how WebAuthn works wi… Continue reading Yubikey – WebAuthn and U2F
GitHub is the latest company to support WebAuthn, a new standard that makes logging into online services using a browser more secure. Continue reading GitHub joins WebAuthn club
via Lucas Garron, writing at GitHub’s blog, of outstanding security news at the eponymous version control site: GitHub now fully supports WebAuthn (Web Authentication) for security keys.
“The future of authentication: secure and easy-to-use
Account … Continue reading WebAuthn + GitHub
I am reading on digital signatures:
A valid digital signature gives a recipient reason to believe that the
message was created by a known sender (authentication), that the
sender cannot deny having sent the message (n… Continue reading 2fa attestation object for non-repudiation
WebAuthn is a relatively new API for authentication, and it uses public key cryptography instead of something like passwords.
I am wondering if it is possible to use the cryptographic part for a different purpose, specifically creating di… Continue reading Is it possible to use WebAuthn for digitally signing documents in the browser?