IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [fido]

FIDO (Fast IDentity Online) is a technical specification for biometric authentication to online services.

62 questions
1
vote
0 answers

How exactly do Fido Keys work?

Recently I acquired a security Fido key that allows me to use the U2F protocol on some of my accounts. Now I know that these keys use public/private keys for the specified account but I'm stuck on the logic of one part. How does the Fido Key know…
NerdOfCode
  • 133
  • 3
1
vote
0 answers

Are all the FIDO U2F tools from Yubico cross-compatible

So I recently got myself one U2F security key to experiment with all the services that support it. However I didn't go for the mainstream option (Yubikey) since most models are quite expensive for my budget. The thing is, almost all the docs for the…
Alfageme
  • 111
  • 3
1
vote
1 answer

What data is sent between an NFC/BTLE FIDO U2F device and Chrome (or other agent)?

I need to explain what "conversation" occurs between a FIDO U2F device (YubiKey NEO) and the agent (Chrome). I want to know if it's a challenge response, and ultimately figure out how much computation occurs on the device. In the case of NFC, the…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
0
votes
0 answers

Solutions for out of band biometric login

I am enhancing our login flow to include biometric verification via your phone. The user will log in to the desktop app but will have to verify their identity via their phone. We already have an app and want to now accept login verification…
Decrypter
  • 101
  • 2
0
votes
0 answers

Fido U2F, can a modified client theoretically register the same key multiple times? YubiKey Wrapped PrivateKey Method

Context I was answering a question about how YubiKey can generate "infinite" keypairs for Fido U2F but doesn't need to store them locally. This leads to my initial question: Initial Question Can I register with a FIDO U2F service more than once,…
PathToLife
  • 133
  • 6
0
votes
0 answers

How to best support multiple hardware keys (yubikeys, etc.) as a web app?

I've implemented second factor authentication for my web app via FIDO U2F, and am testing using a Yubikey. I have read that it is best practice to associate multiple hardware keys in case one is lost, but I wanted to know what the security…
Julian H. Lam
  • 143
  • 5
0
votes
0 answers

Why my yubikey is not protected by a PIN to log into Google?

I just setted my yubikey on Google so I can login into Google without any passwords. However, I don't even have to put a PIN on the yubikey, it simply works. I find this very very dangerous as anyone with my yubikey would be able to access my Google…
Guerlando OCs
  • 405
  • 4
  • 14
0
votes
1 answer

Can yubikeys prevent cookie stealing?

When you log into a website, it stores cookies that let your browser access the website without having the password. Given that some sites support yubikey for login, does it mean that the yubikey actively signs requests from my computer, or it just…
Guerlando OCs
  • 405
  • 4
  • 14
0
votes
1 answer

Does moving webAuthn API from browser to OS improves security of registration process?

Usually, for all types of authentications, we trust the registration process and assume there is no attack is happening Like in the case of FIDO2 registration. However, as the registration process is built within the browser and can be compromised…
tarun14110
  • 81
  • 4
0
votes
1 answer

What is the equivalent of "forgot password" in password-less login applications using FIDO2 / Webauthn or later?

I'm assuming instead of saying "forgot password?" the text would say "lost your key?" or "don't have your device?". But what would the process of secondary access look like in the future when passwords are ..ahem.. dead? Would sending a login link…
eternaltyro
  • 817
  • 7
  • 16
0
votes
1 answer

Are hardware security keys (e.g ones supporting Fido2) "able to protect authentication" even in case of compromised hosts?

Correct me if I am wrong, please. I understand that 2FA (MFA) increases account security in case an attacker obtains a password which might be possible via various ways, e.g. phishing, database breach, brute-force, etc.. However, if the host where…
Big X
  • 3
  • 1
0
votes
1 answer

Can FIDO be implemented for a Use Case which Allows the Use of Shared Devices?

I am a part of an organization that is developing a website that required user authentication, and we are strongly considering FIDO compliance. However, our use case requires users to be able to log-in from shared computers (i.e. father and son may…
Heshan Perera
  • 125
  • 4
0
votes
0 answers

Storing TOTP codes on a Feiteian ePass FIDO key

I'm looking for some Android apps that can store / read TOTP codes off of a Feitian ePass FIDO key using NFC. There appears to be a fairly simple way with a yubico key / and key but I don't know how to do this with a Feitian. What is the actual…
Ryan
  • 133
  • 1
  • 5
0
votes
1 answer

Which party stores the link between user and device in WebAuthn?

Looking at the online resources regarding WebAuthn, I still haven't been able to figure out which of the involved components (or parties) that store the link between the user and his/her authenticator device. I borrowed this picture from Yubico's…
Lars Andren
  • 125
  • 5
0
votes
1 answer

Can an infected endpoint steal private keys from a FIDO U2F Hardware Token / Yubikey?

Is it possible for an infected endpoint to steal private keys from a FIDO U2F Hardware Token / Yubikey? What attacks exist against these hardware tokens? What mitigations are possible? For the scope of this question it's limited to U2F Keys, some…
user115400
1 2 3
4
5