PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
When implementing #WebAuthn on an Identity Provider's side. Where exactly should one draw the line between #SecurityKey and #Passkey? I see that most platforms make a distinction between those. Can anyone link me some article or blog post on this topic? If I were to implement security key and passkey support on a provider that does not yet support any WebAuthn, should I go down the same route?
My current assumption is that during passkey registration you'd set "residentKey = required" and "userVerification = required", whereas for a security key you'd set "residentKey = discouraged" and "userVerification = preferred".
Also, I'm assuming that a security key can also function as a form of #passwordless multi-factor authentication if UV was true during registration AND authentication. Obviously without the neat part of Passkeys where you don't have to manually enter the username.
hm. Do I spend $30 (after shipping) on another #2FA#U2F security key, but this one can store 50 #TOTP (as well as work as a standard #FIDO2#SecurityKey) entries.
Compared to #yubico#yubikey which is $50 (before shipping) and stores only 32 TOTP.
It'd only be around $22, but it apparently ships from Switzerland?
Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich.
When I first discovered WebAuthn in 2019 I imagined it being used for something like this, but never imagined something like the prf extension enabling true E2EE like this. Everything happens in the browser; there's no server used in any of this because to me that defeated the purpose. I also challenged myself to make a decent UX on top of this because what good is strong encryption if it's not usable?
For best results make sure you're using Chrome 116 and a recent FIDO2 security key.
(I'm also trying to figure out how things get noticed on Hacker News, so if you participate over there here's the Show HN, upvotes appreciated: https://news.ycombinator.com/item?id=37148972)
Google released first quantum-resilient FIDO2 key implementation (www.bleepingcomputer.com)
Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich.