Questions tagged [fido2]
FIDO2 (Fast IDentity Online 2) is a technical specification for biometric authentication to online services, based on FIDO Alliance CTAP2 protocol and W3C consortia's WebAuthn standard. FIDO2 is based on previous FIDO Alliance project U2F
34 questions
1 vote
1 answer
206 views
FIDO2 Yubikey, systemd-cryptenroll Options - Differences of --fido2-with-client-pin --fido2-with-user-presence --fido2-with-user-verification
I added a FIDO2 token to my encrypted root parition with systemd-cryptenroll <DISK> --fido2-with-client-pin=true \ --fido2-with-user-presence \ --fido2-device=auto The tool has three ...
- 135
1 vote
1 answer
116 views
Would a passkey client that had a seed for backup break the specification?
I have been thinking about backing up passkeys, I asked a previous question about backing up individual private keys. This procedure requires one to create the backup after creating the account. ...
- 447
3 votes
1 answer
847 views
Is a FIDO private key file for SSH cryptographically secure on it's own?
Is an id_ed25519_sk cryptographically secure without a password? I'm currently experimenting with a yubikey SSH identity. Following instructions to generate an SSH key: sudo ssh-keygen -t ed25519-sk -...
- 153
2 votes
1 answer
344 views
Is there a reason to not send signed FIDO2/WebAuthn session data to the client rather than storing it server side?
Every WebAuthn implementation I've seen stores the session data server side, but that just seems pointless to me, since what seems to be essentially all the same data is already sent to the client in ...
- 145
1 vote
1 answer
139 views
Is clientDataJson and attestationObject required to verify assertion during authentication in WebAuthN?
Currently I am working on implementing/supporting WebAuthN in my service (JAVA). I have a Control Plane which handles the registration ceremony and Data Plane that handles the authentication ceremony. ...
- 13
1 vote
1 answer
266 views
Is there an equivalent to passkeys but to prevent cookie stealing?
Passkeys prevent phishing, no one can make you login remotely (without exploits) and if they are hardware based and never leave the hardware, them even exploits might have a hard time getting them. ...
- 375
1 vote
0 answers
525 views
Is it possible to see the pubkeys that pair with private keys inside the TPM in Windows?
Is it possible to inspect data (pubkeys, domain names used for webauthn, not private keys) related to private keys stored in the TPM on Windows? I legally own the hardware and have maximum ...
- 435
2 votes
2 answers
239 views
Can Fido2 hardware tokens be used for key agreement or Diffie-Hellman?
With Fido2 becoming more popular we see more and more affordable Fido2 hardware security keys on the market. Can we use those tokens also for establishing a shared secret between two tokens? I would ...
0 votes
0 answers
144 views
Passwordless authentication using expiring hardware keys
I am looking for a solution to implement passwordless authentication using expirable hardware keys. It is for devices around the world with Windows OS, and sometimes service technicians have to do ...
- 101
3 votes
2 answers
776 views
FIDO2: should I set user verification to "discouraged" with two-factor authentication?
I provide a web application that uses FIDO2 for two-factor authentication. Recently I got reports that Windows users have to enter a PIN each time they use their hardware token. As far as I understand,...
- 173
0 votes
0 answers
506 views
FIDO2 security keys - what attack vectors/weaknesses exist for "bad" keys
What attack vectors exist for "bad" FIDO USB keys? What would the weaknesses of a "bad" key be? How could they be compromised? This came to mind as I was looking at "make ...
- 11
1 vote
1 answer
2k views
Reading SSH private key physically stored on yubikey to remote into external PC
I was wondering if it's possible to only store and read a ssh private key on a yubikey and not read the private key the yubikey generated from a client computer? Currently the only way it seems to ...
- 193
3 votes
1 answer
980 views
Is FIDO2 authentication vulnerable to a social engineering replay attack?
I'm starting to learn about the FIDO2 standard, and I'm wondering if this scenario is possible... Victim visits a credential harvesting page and enters their credentials Credential harvesting backend ...
- 845
3 votes
3 answers
4k views
Can I use Yubikey to encrypt a file without PGP?
I have a Yubikey 5 Series and would like to use it to encrypt a file, so that a physical presence of my Yubikey would be required to decrypt it. I know you can save a PGP key onto Yubikey and use it ...
- 39
1 vote
3 answers
2k views
Why are FIDO2 protected SSH keys affected by phishing attacks?
The OpenSSH developers have written in a description of the "agent restrictions" feature that FIDO2 tokens are vulnerable to phishing attacks: https://www.openssh.com/agent-restrict.html ...
- 121