IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [fido]

FIDO (Fast IDentity Online) is a technical specification for biometric authentication to online services.

62 questions
133
votes
6 answers

How secure are the FIDO U2F tokens

Google and Yubico just announced the availability of cryptographic security tokens following the FIDO U2F specification. Is this just another 2FA option, or is this significantly better than solutions such as SecureID and TOTP? Specifically: In…
tylerl
  • 82,225
  • 25
  • 148
  • 226
20
votes
5 answers

Why do some FIDO security fobs use keyboard emulation mode?

I was troubled from the very beginning by the fact that my U2F security fob acts as a keyboard and theoretically is able to press any key when no one is looking. Sometimes I accidentally touch it and then screen goes mad because of all those…
IlliakaillI
  • 301
  • 2
  • 5
18
votes
1 answer

FIDO, U2F Compatibility

I've been following the FIDO standard (a consumer-friendly public-key system similar to SSH key pairs) and it appears that it's close to being complete: both Google and PayPal have been testing it internally for some time, the just-announced Samsung…
Indolering
  • 852
  • 6
  • 21
13
votes
1 answer

How can mobile sign-on be secured from imposter authentication screens?

History seems to have come almost full circle where old issues are shown in new/emerging technologies. Background If you trust the operating system, Windows originally had the Control - Alt - Delete as a way to prevent TSR (Terminate and Stay…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
12
votes
1 answer

FIDO and FIDO2 differences

I've been reading both FIDO and FIDO2 specs for a while tring to understand the similarities and differences between both. Here is how I broke it down so far: FIDO: First iteration in creating a cross industry standard for passwordless / 2fa…
Filipe Rodrigues
  • 398
  • 3
  • 13
9
votes
2 answers

Are FIDO U2F keys (like dual Yubikeys or dual Google Titan keys) undermined by the Google account recovery process?

According to the Google information page here: https://support.google.com/accounts/answer/6103523 If you don’t have another second step or forgot your password Note: 2-Step Verification requires an extra step to prove you own an account. Because of…
knaccc
  • 220
  • 1
  • 5
9
votes
3 answers

Why is U2F not good enough to be used as authentication?

In the context of low- and mid-security applications (ie, 95% of the web), why isn't U2F good enough to be the only factor? As far as I can tell, U2F very securely implements the "something you have" authentication factor. There's many web apps…
AstraLuma
  • 191
  • 1
  • 5
8
votes
1 answer

MITM attacks on FIDO UAF and U2F

In Section 6 of the Universal 2nd Factor (U2F) Overview, where MITM attacks are discussed – near the end of the section, it reads: It is still possible to MITM a user's authentication to a site if the MITM is a. able to get a server cert for the…
weaver
  • 311
  • 3
  • 4
8
votes
2 answers

Why is FIDO U2F an entirely different standard from FIDO UAF instead of just a subset?

As you may already be aware, the Universal 2nd Factor (U2F) standard is a standard for 2nd-factor authentication which allows users to authenticate to web applications using a USB hardware token. While reading up on this standard, I discovered that…
Ajedi32
  • 4,637
  • 2
  • 26
  • 60
8
votes
1 answer

From a credential flow perspective, whats the difference between FIDO UAF and FIDO 2.0 Web Services?

The FIDO Standard allows for devices and authentication schemes to be certified as UAF or U2F. This allows for flexible unified authentication, and optional second factor enrollment and registration. Deployment: Chrome has built in FIDO U2F…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
7
votes
1 answer

Fido: trusting user-agent

As I went through Fido specifications: the server (providing web app/services) need to trust user agent for local fido authentication and if needed can enforce certain policies" I am not sure what that translates into. How is the trust…
tech_geek
  • 101
  • 4
7
votes
2 answers

Can a FIDO U2F device be used for symmetric encryption?

As I understand, U2F is mainly used for authentication. It uses challenge-response scheme to check if the device used for logging in is the same device which was used during registration based on shared secret. So the result of the process is a…
atok
  • 183
  • 7
7
votes
1 answer

Are there any risks associated with using a single U2F/FIDO key with multiple sets of credentials?

I recently got a FIDO U2F key (AKA a Yubikey). I currently only use it across a range of services, but could this be a security risk in any way? For example, if I use my U2F key to authenticate on a shady and/or insecure and/or malicious website,…
Jules
  • 1,240
  • 1
  • 10
  • 20
6
votes
0 answers

How sensitive is the primary key stub of an ed25519 security key (~/.ssh/id_ed25519_sk)?

Now that OpenSSH supports Elliptic curve security keys (since version 8.2), it's possible to generate a ed25519-sk key on a hardware security key: $ ssh-keygen -t ed25519-sk -C comment This generates a public and a private key parts. How sensitive…
Petr
  • 495
  • 2
  • 10
6
votes
2 answers

Does injecting my own key material into the authenticator undermine authenticator's attestation?

I'd like to be able to inject my own key material in the FIDO2 authenticator; at the very least it will remove the need to trust the vendor (because we have no guarantee whether the vendor keeps copies of the keys to themselves, because of…
Dmitry Frank
  • 195
  • 11
1
2 3 4 5