Highest Voted 'fido' Questions - IT Security Stack Exchange

5

votes

2 answers

Where are FIDO U2F Keys Stored?

I'm getting conflicting information on how the security keys are stored and used. Where are the public and private keys stored? If the private key is stored on the Yubikey itself, how many can it hold? If the both keys are stored on the service you…

yubikey u2f fido

asked Aug 19 '20 at 03:43

Derpy

53
3

5

votes

1 answer

How does the attestation mechanism of U2F guarantee the provenance of the key material?

I'm trying to understand Yubico's documentation of the U2F standard, and getting hung up on the PIV attestation piece. The security claim appears to be that the authoritatively-signed attestation certificate sent by the device upon registration will…

yubikey u2f fido

asked Jan 23 '20 at 09:05

Dan Lenski

313
2
7

5

votes

1 answer

How should I implement FIDO UAF architecture?

I'm new to FIDO (Fast IDentity Online), and want to add FIDO UAF (Universal Authentication Framework) support to my website. I've few queries: Suppose, I've built my own FIDO Client. Is there any test server where I can test my FIDO Client, or do I…

authentication fido

asked Mar 15 '17 at 08:51

anonImos

51
3

5

votes

2 answers

Using Fido U2F or similar as primary authentication method?

I've been wondering about this for a while, but couldn't find much on the web, so I hope that someone could point me in the right direction for better understanding about this topic. Would it be viable / safe to use something like a Fido U2F device…

authentication smartcard fido

asked Feb 01 '17 at 13:43

redShadow

151
5

4

votes

0 answers

Benefit of using OpenSSH FIDO/U2F support over GPG mode?

OpenSSH version 8.2 introduced support for FIDO/U2F hardware authenticators, via the new public key types "ecdsa-sk" and "ed25519-sk". I currently have SSH authentication set up in combination with gpg subkeys by using my security key in GPG mode. I…

gnupg openssh fido

asked Feb 21 '20 at 21:33

nyronium

141
2

4

votes

1 answer

password managers and FIDO

I've just been reading some posts about FIDO support (or the lack thereof) in password managers and want to check whether my understanding is correct. My understanding of FIDO (v1) is that the device contains a secret that it will never let out of…

password-management fido

asked Aug 11 '18 at 10:00

user16214

4

votes

0 answers

U2F FIDO sends identifiable serial numbers

As all of the FIDO Alliance documents state, the FIDO U2F protocols should never be able to abused to identify whether a user has multiple accounts with one service, or for services to collude and find out a specific user's identity. So why, when I…

multi-factor u2f fido

asked May 22 '18 at 18:31

Ed Watson

41
3

3

votes

1 answer

Is FIDO2 authentication vulnerable to a social engineering replay attack?

I'm starting to learn about the FIDO2 standard, and I'm wondering if this scenario is possible... Victim visits a credential harvesting page and enters their credentials Credential harvesting backend opens a connection to the legitimate login page…

authentication phishing social-engineering fido fido2

asked Jun 18 '22 at 18:34

Sean W.

835
4
14

3

votes

1 answer

How does ed25519-sk actually works?

My google-foo failed me as most "how it works" sections related to fido are very... let's say... consumer-oriented. So openssh supports U2F natively when using the appropriate elliptic-curve-based cipher (namely ed25519-sk and the NIST one, do mind…

ssh openssh yubikey u2f fido

asked Jun 27 '21 at 20:01

Jane

33
3

3

votes

1 answer

FIDO U2F - MacOS TouchBar

I understand how FIDO works with yubikey: Yubikey device has a symmetric key and it uses appId, nonce and symmetric key to generate key pair for a website. And the device gives back public key and keyHandle (which can used to generate private key)…

u2f fido

asked Sep 28 '19 at 03:33

Jack

63
5

3

votes

1 answer

How do FIDO keys prevent MITM reflection attacks?

FIDO keys, used for 2 factor authentication are based on a challenge-response mechanism. Besides generating a common 1-time-key using diffie-hellman, or transferring all data over TLS, how can they prevent reflection attacks? Challenge: Alice -> Eve…

man-in-the-middle u2f fido reflection

asked Apr 01 '19 at 12:31

Bharel

133
5

3

votes

1 answer

U2F protocol - Counter value & device cloning

My question is about the U2F protocol and more precisely cloning detection. According to the doc : "If there is a possibility that a U2F token can be cloned, we also need some way to detect it. We can do this by having an operation counter. Every…

u2f fido

asked Jun 03 '17 at 17:09

QBl

55
3

3

votes

1 answer

In the context of FIDO U2F, when is a new ephemeral key reused, or cached?

I'm reading this paper from Yubico on Universal Second Factor and OpenID Connect and see the description about ephemeral keys I'm confused on when a ephemeral key is used, and under what conditions they are cached. From the Yubico document. Page…

authentication multi-factor yubikey fido

asked Feb 18 '17 at 01:47

makerofthings7

50,090
54
250
536

2

votes

3 answers

Vulnerabilities despite FIDO U2F?

FIDO U2F seems much more secure than one-time-passwords (OTP), especially TOTP, because of the challenge-response architecture. In what ways is a U2F user still vulnerable? I presume if a user's computer is compromised or the user loses their U2F…

authentication chrome yubikey u2f fido

asked Aug 31 '15 at 23:45

Jeff

123
5

2

votes

3 answers

Why would a U2F key be more secured than an OTP device?

I have a Yubikey 5, I can store a PGP key inside, it has OTP abilities, FIDO, NFC, etc... Which is great for a device like this. First of all, I understand how a smart card is more secured than an app/sms based OTP for instance, but seeing how the…

yubikey u2f totp fido hotp

asked Apr 07 '21 at 02:36

Max13

195
8

Questions tagged [fido]