Highest Voted 'fido2' Questions - IT Security Stack Exchange

12

votes

1 answer

FIDO and FIDO2 differences

I've been reading both FIDO and FIDO2 specs for a while tring to understand the similarities and differences between both. Here is how I broke it down so far: FIDO: First iteration in creating a cross industry standard for passwordless / 2fa…

asked Nov 05 '19 at 22:47

Filipe Rodrigues

398
3
13

7

votes

3 answers

How to set up two YubiKeys to have the same secret?

A lot of services offer authentication with FIDO2, such as Twitter, but only allow the user to set one "security key". This is problematic in case the key is lost or breaks. The ideal solution would be to allow a user to set up multiple keys,…

yubikey fido2

asked Feb 03 '21 at 11:53

user163495

6

votes

2 answers

Does injecting my own key material into the authenticator undermine authenticator's attestation?

I'd like to be able to inject my own key material in the FIDO2 authenticator; at the very least it will remove the need to trust the vendor (because we have no guarantee whether the vendor keeps copies of the keys to themselves, because of…

u2f fido fido2

asked Nov 07 '19 at 10:57

Dmitry Frank

195
11

6

votes

1 answer

Is there any privacy- or security-relevant difference between FIDO2 and SQRL

I just learned about FIDO2 (WebAuthn) and try to make a comparison to the lesser-known novel SQRL authentication scheme. Both seem to use the same key elements: a private, user-resident "master key" thus not relying on a 3rd party like OAuth. a…

authentication privacy identity fido2 sqrl

asked Aug 22 '19 at 11:17

Marcel

3,494
1
18
35

3

votes

1 answer

Is FIDO2 authentication vulnerable to a social engineering replay attack?

I'm starting to learn about the FIDO2 standard, and I'm wondering if this scenario is possible... Victim visits a credential harvesting page and enters their credentials Credential harvesting backend opens a connection to the legitimate login page…

authentication phishing social-engineering fido fido2

asked Jun 18 '22 at 18:34

Sean W.

835
4
14

3

votes

2 answers

Why does WebAuthn require a challenge when asking the client to register a new credential?

When registering a new credential as part of WebAuthn, why does the client need to be sent a challenge? Presumably this is to prevent a replay attack, but wouldn't a replay attack be prevented by TLS already?

challenge-response webauthn fido2

asked Nov 14 '19 at 17:14

johnnyodonnell

153
5

3

votes

1 answer

Yubikey - WebAuthn and U2F

I have a yubikey which supports only U2F. It doesn't support FIDO2. I read about U2F and i understand how it works. When i test my Yubikey for WebAuthn on https://webauthn.io it works. I wanted to know how WebAuthn works with my Yubikey when there…

u2f webauthn fido2

asked Sep 14 '19 at 15:51

Jack

63
5

1

vote

1 answer

Why isn't U2F's CTAP protocol forwards-compatible with FIDO2's CTAP protocol?

I've been trying to find the major differences between "U2F" versus "FIDO2" two-factor authentication standards. Reading some of the articles posted by different companies and even the FIDO site itself give the impression that the main work of the…

protocols u2f fido fido2

asked Apr 07 '21 at 19:00

natevw

131
5

1

vote

0 answers

Avoiding Replay Attacks while Using FIDO2's HMAC Secret to Encrypt Data

FIDO2's HMAC Secret extension generates a symmetric secret that can be used to encrypt and decrypt data. HMAC secret's output is based on output1: HMAC-SHA-256(CredRandom, salt1) Where salt1 is from the platform and CredRandom is generated and…

fido2

asked Mar 22 '21 at 03:47

1283822

111
1

1

vote

0 answers

How to uses FIDO2 hmac-secret extension for offline authentication?

How hmac-secret extension defined in the CTAP2 Specification is used to help implement offline authentication with an authenticator. Is there any other specification that says how to do this? From the exploration around, it looks like Microsoft is…

authentication hmac fido2 offline

asked Mar 01 '21 at 14:00

Dinesh Kumar Sarangapani

121
4

1

vote

1 answer

Implementing FIDO2 (WebAuthN) in Native iOS

I am currently investigating the idea of implementing FIDO2 (WebAuthN) support in native iOS using Swift. I understand that there is no FIDO2 support in native iOS, and only available through Safari native app, but Safari is not an option that I'm…

ios fido webauthn fido2

asked Oct 30 '20 at 22:47

Go James

11
2

1

vote

0 answers

FIDO2 - Where do Android and IOS platform authenticators store private key credentials?

I'm new to FIDO2 specification. I'm aware that Android and IOS devices support FIDO2 protocols (even Android phones could act as a physical key for FIDO2 authentication). However, Could anyone let me know that, when we use the platform…

android ios fido fido2

asked Jul 22 '20 at 08:44

Danh Thanh Nguyen

11
2

1

vote

0 answers

"Something you have" on a multi-user device - what is the opinion regarding the NIST AAL3 definition?

The NIST AAL3 specification requires In order to authenticate at AAL3, claimants SHALL prove possession and control of two distinct authentication factors through secure authentication protocol(s) Consider a Windows 10 tablet device with a…

authentication windows-10 tpm nist fido2

asked Feb 18 '20 at 15:26

MrMoosehead

11
2

1

vote

0 answers

WebAuthn Variation with non-connect dongle Authenticator

As I read through the WebAuthn / FIDO2 documentation, it appears the authentication is done on the local device to create an attestation to the FIDO server. This future implies the "biometrics" or other Authenticator means must be connected to the…

fido webauthn fido2

asked Dec 16 '19 at 15:53

mazecreator

111
2

1

vote

0 answers

Practicality of Direct Anonymous Attestation

DAA (Direct Anonymous Attestation) is not the only scheme to achieve anonymous attestation. In general, these schemes allow an entity to stay anonymous throughout the attestation process. The concern here is not the attestation but key revocation.…

anonymity tpm fido fido2

asked Nov 02 '19 at 23:11

Consy

111
3

Questions tagged [fido2]