Questions tagged [fido2]
22 questions
12
votes
1 answer
FIDO and FIDO2 differences
I've been reading both FIDO and FIDO2 specs for a while tring to understand the similarities and differences between both. Here is how I broke it down so far:
FIDO: First iteration in creating a cross industry standard for passwordless / 2fa…
Filipe Rodrigues
- 398
- 3
- 13
7
votes
3 answers
How to set up two YubiKeys to have the same secret?
A lot of services offer authentication with FIDO2, such as Twitter, but only allow the user to set one "security key". This is problematic in case the key is lost or breaks. The ideal solution would be to allow a user to set up multiple keys,…
user163495
6
votes
2 answers
Does injecting my own key material into the authenticator undermine authenticator's attestation?
I'd like to be able to inject my own key material in the FIDO2 authenticator; at the very least it will remove the need to trust the vendor (because we have no guarantee whether the vendor keeps copies of the keys to themselves, because of…
Dmitry Frank
- 195
- 11
6
votes
1 answer
Is there any privacy- or security-relevant difference between FIDO2 and SQRL
I just learned about FIDO2 (WebAuthn) and try to make a comparison to the lesser-known novel SQRL authentication scheme.
Both seem to use the same key elements:
a private, user-resident "master key" thus not relying on a 3rd party like OAuth.
a…
Marcel
- 3,494
- 1
- 18
- 35
3
votes
1 answer
Is FIDO2 authentication vulnerable to a social engineering replay attack?
I'm starting to learn about the FIDO2 standard, and I'm wondering if this scenario is possible...
Victim visits a credential harvesting page and enters their credentials
Credential harvesting backend opens a connection to the legitimate login page…
Sean W.
- 835
- 4
- 14
3
votes
2 answers
Why does WebAuthn require a challenge when asking the client to register a new credential?
When registering a new credential as part of WebAuthn, why does the client need to be sent a challenge?
Presumably this is to prevent a replay attack, but wouldn't a replay attack be prevented by TLS already?
johnnyodonnell
- 153
- 5
3
votes
1 answer
Yubikey - WebAuthn and U2F
I have a yubikey which supports only U2F. It doesn't support FIDO2. I read about U2F and i understand how it works.
When i test my Yubikey for WebAuthn on https://webauthn.io it works. I wanted to know how WebAuthn works with my Yubikey when there…
Jack
- 63
- 5
1
vote
1 answer
Why isn't U2F's CTAP protocol forwards-compatible with FIDO2's CTAP protocol?
I've been trying to find the major differences between "U2F" versus "FIDO2" two-factor authentication standards. Reading some of the articles posted by different companies and even the FIDO site itself give the impression that the main work of the…
natevw
- 131
- 5
1
vote
0 answers
Avoiding Replay Attacks while Using FIDO2's HMAC Secret to Encrypt Data
FIDO2's HMAC Secret extension generates a symmetric secret that can be used to encrypt and decrypt data. HMAC secret's output is based on
output1: HMAC-SHA-256(CredRandom, salt1)
Where salt1 is from the platform and CredRandom is generated and…
1283822
- 111
- 1
1
vote
0 answers
How to uses FIDO2 hmac-secret extension for offline authentication?
How hmac-secret extension defined in the CTAP2 Specification is used to help implement offline authentication with an authenticator. Is there any other specification that says how to do this?
From the exploration around, it looks like Microsoft is…
Dinesh Kumar Sarangapani
- 121
- 4
1
vote
1 answer
Implementing FIDO2 (WebAuthN) in Native iOS
I am currently investigating the idea of implementing FIDO2 (WebAuthN) support in native iOS using Swift. I understand that there is no FIDO2 support in native iOS, and only available through Safari native app, but Safari is not an option that I'm…
Go James
- 11
- 2
1
vote
0 answers
FIDO2 - Where do Android and IOS platform authenticators store private key credentials?
I'm new to FIDO2 specification.
I'm aware that Android and IOS devices support FIDO2 protocols (even Android phones could act as a physical key for FIDO2 authentication).
However, Could anyone let me know that, when we use the platform…
Danh Thanh Nguyen
- 11
- 2
1
vote
0 answers
"Something you have" on a multi-user device - what is the opinion regarding the NIST AAL3 definition?
The NIST AAL3 specification requires
In order to authenticate at AAL3, claimants SHALL prove possession and
control of two distinct authentication factors through secure
authentication protocol(s)
Consider a Windows 10 tablet device with a…
MrMoosehead
- 11
- 2
1
vote
0 answers
WebAuthn Variation with non-connect dongle Authenticator
As I read through the WebAuthn / FIDO2 documentation, it appears the authentication is done on the local device to create an attestation to the FIDO server. This future implies the "biometrics" or other Authenticator means must be connected to the…
mazecreator
- 111
- 2
1
vote
0 answers
Practicality of Direct Anonymous Attestation
DAA (Direct Anonymous Attestation) is not the only scheme to achieve anonymous attestation. In general, these schemes allow an entity to stay anonymous throughout the attestation process. The concern here is not the attestation but key revocation.…
Consy
- 111
- 3