Highest Voted 'webauthn' Questions - IT Security Stack Exchange

12

votes

1 answer

FIDO and FIDO2 differences

I've been reading both FIDO and FIDO2 specs for a while tring to understand the similarities and differences between both. Here is how I broke it down so far: FIDO: First iteration in creating a cross industry standard for passwordless / 2fa…

asked Nov 05 '19 at 22:47

Filipe Rodrigues

398
3
13

11

votes

2 answers

Why is Webauthn not used as primary authentication method?

In theory, authenticating with a public key should be much simpler than with a password. There is nothing to remember for the end-user, and registration can be done just by clicking a button. For all intents and purposes, this should be much more…

authentication passwords webauthn

asked Feb 26 '21 at 15:22

user163495

10

votes

2 answers

Is it possible to use WebAuthn for digitally signing documents in the browser?

WebAuthn is a relatively new API for authentication, and it uses public key cryptography instead of something like passwords. I am wondering if it is possible to use the cryptographic part for a different purpose, specifically creating digital…

digital-signature webauthn

asked May 30 '19 at 18:54

Mad Scientist

791
5
18

5

votes

2 answers

Why did WebAuthn beat PAKEs as the preferred password replacement?

Apple and now Google are releasing products that are built on WebAuthn as a replacement for traditional username + passwords. Why did this technology beat out PAKEs?

passwords cryptography webauthn

asked Aug 25 '22 at 17:07

Prime

472
6
14

3

votes

0 answers

Do passkeys on iCloud Keychain ever exist unencrypted outside the secure enclave?

Regarding Apple's beta feature of storing WebAuthn passkeys in the iCloud Keychain, does anybody know if the unencrypted passkeys ever leave the secure enclave, and get stored in RAM or anything? With traditional WebAuthn on a Yubikey or similar…

keychain webauthn icloud

asked Feb 19 '22 at 04:58

Mohamed Hafez

161
3

3

votes

0 answers

How to add a new webauthn key if the existing one isn't portable

Webauthn supports authentication or multi factor authentication with either hardware keys or authentication features that are built into the device used (Windows Hello, Android with a Fingerprint, ...). Given the case that a user registered with a…

authentication web-application multi-factor webauthn

asked Nov 28 '19 at 13:02

Jonas Osburg

131
2

3

votes

2 answers

Why does WebAuthn require a challenge when asking the client to register a new credential?

When registering a new credential as part of WebAuthn, why does the client need to be sent a challenge? Presumably this is to prevent a replay attack, but wouldn't a replay attack be prevented by TLS already?

challenge-response webauthn fido2

asked Nov 14 '19 at 17:14

johnnyodonnell

153
5

3

votes

1 answer

Yubikey - WebAuthn and U2F

I have a yubikey which supports only U2F. It doesn't support FIDO2. I read about U2F and i understand how it works. When i test my Yubikey for WebAuthn on https://webauthn.io it works. I wanted to know how WebAuthn works with my Yubikey when there…

u2f webauthn fido2

asked Sep 14 '19 at 15:51

Jack

63
5

2

votes

0 answers

Use platform TPM as U2F for web applications

The Problem: Use the platform TMP of my Windows Laptop/PC (no external device or USB token) as U2F in a web application to check if it is a known device. My intended solution: I need to store/create something (Cetificate, Private/Public Key or…

windows windows-10 tpm u2f webauthn

asked Jun 08 '22 at 11:27

MrMaavin

71
6

1

vote

1 answer

Implementing FIDO2 (WebAuthN) in Native iOS

I am currently investigating the idea of implementing FIDO2 (WebAuthN) support in native iOS using Swift. I understand that there is no FIDO2 support in native iOS, and only available through Safari native app, but Safari is not an option that I'm…

ios fido webauthn fido2

asked Oct 30 '20 at 22:47

Go James

11
2

1

vote

1 answer

What are the benefits of using WebAuthn?

The Web Authentication API allows websites served via HTTPS to allow users to authenticate via asymmetric encryption. The procedure for login is basically the following: Server sends a challenge (16 random bytes); Client signs the challenge; Client…

asymmetric webauthn

asked Oct 29 '20 at 17:38

D. Pardal

133
6

1

vote

1 answer

WebAuthn - What am I missing?

I'm trying to learn a bit about authentication and security protocols at a 10,000 foot level. I was reading about WebAuthn here: https://webauthn.guide/ and here: https://webauthn.io/ I'm sure what I'm about to ask has obvious answers, because this…

webauthn

asked Aug 02 '20 at 00:42

Chris

165
5

1

vote

0 answers

WebAuthn Variation with non-connect dongle Authenticator

As I read through the WebAuthn / FIDO2 documentation, it appears the authentication is done on the local device to create an attestation to the FIDO server. This future implies the "biometrics" or other Authenticator means must be connected to the…

fido webauthn fido2

asked Dec 16 '19 at 15:53

mazecreator

111
2

1

vote

1 answer

Why don't online banks use WebAuthn?

My ideal bank would offer online banking from a browser with user/pwd and WebAuthn, for example with a NFC or USB key. No OTP or SMS or apps on the smartphone or physical devices required. (It goes without saying, no recovery questions or stuff like…

banks nfc u2f webauthn

asked Oct 10 '19 at 21:30

jj_p

369
1
9

1

vote

1 answer

2fa attestation object for non-repudiation

I am reading on digital signatures: A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (nonrepudiation), and that …

yubikey non-repudiation webauthn

asked Jun 09 '19 at 09:49

Thalis K.

113
5

Questions tagged [webauthn]