TIL: browsers now have usb access, for #fido2#2fa#passkeys and what not.
sounds like the only question is WHEN this will turn out to be a vector for novel attacks. #infosec
Une question pour les pros de la cybersécurité : je voudrais tester #FIDO2 puisque tout le monde dit que c'est bien et que ça fait le café. Quel service gratuit vous connaissez où je peux me créer un compte et m'authentifier avec FIDO2 ?
It's been six months — half a year — since Firefox 114 was released with support for FIDO2/WebAuthn. Microsoft 365 support is still broken, particularly for Linux users. You can register a security key but cannot authenticate using it.
Amusingly, Microsoft doesn't even support its Edge browser on Linux.
Security key vendor I hadn't seen before: "SLING". Appears to be repackaged TrustKey (formerly eWBM) T110 and T120. Interestingly, the hostname (www dot slingsecure dot com) does not currently resolve.
Hier wird auch auf #Passkeys referenziert. Ich persönlich bevorzuge #FIDO2 gegenüber Passkeys, wenn ich sowieso schon einen FIDO2-Token besitze und ich nicht will, dass mein Passkeys-Geheimnis ausgelesen werden kann, was bei FIDO2 nicht der Fall ist.
Wenn man keinen FIDO2-Token hat, hat Passkeys durchaus Vorteile, da es (wie FIDO2) auch gegen Phishing schützt
Ich habe auch so meine Geschichte damit, nachdem mein Fingerprint-Reader am Handy eingegangen ist. Bei mir half die A-Trust-App und ein kompatibler #FIDO2 Token.
Die #DigitalesAmt App ist damit allerdings nun unbenutzbar. 🤷
Silly little #Passkeys world. We were testing passkey usability (specifically #FIDO2 passkeys with #Google, #Microsoft and #Amazon) when we discovered that the implementation side has gone awry. Results:
Passkeys mostly don't work on mobile browsers, despite most passkey tech being fit for mobile use.
There is a huge difference between operating system/browser combinations when it comes to setting up and using passkeys.
Even between close OS versions, certain versions might have different properties (eg between win11 and win10 there are differences).
Windows is especially messy. Setting up passkeys often works through windows hello (on chromium based browsers). Don't have that enabled? Well, shucks. Better look somewhere else.
Firefox lacks setup support but once you've set up a passkey in chrome on windows11, you can use it on Firefox (not on win10 though, punk. Better back off). You cannot use it on MacOS with Firefox. Linux is weird when it comes to that. Depends whether Devs had time to implement it, it seems.
TLDR: While passkeys are great in theory, adoption/implementation seems to have been botched or not fleshed out yet. The best implementation (to our surprise) we have seen from the big ones was Amazon.
What good are standards when implementation is done...like that?
Note: we haven't done too much reproduction of this yet, so take these results with a grain of salt.
Alle reden von #Passkeys und ich frage mich ob das technisch etwas anderes ist als Smartcards, die es ja schon ewig gibt und die man auch schon ewig im Web benutzen könnte.
Genau. Die Smartcards waren imho halt immer umständich in der Handhabung und eben proprietär.
Da war für mich normales 2FA über den 6-stelligen Code ein guter Weg.
Inzwischen nutze ich, wenn das System es zulässt, auch Passkeys nach dem #Fido2 Standard.
Das ist schon cool: Key in den USB Port stecken und statt Code eingeben einfach die Taste drücken.
Sicherer als 2FA mit Code ist es auch noch. Rein theoretisch könnte ein Angreifer über #ManInTheMiddle beim Einloggen sowohl Benutzername und Passwort, als auch den 6-stelligen Code abgreifen und hat dann 1 min lang Zeit, das auszunutzen.
Beim Passkey kann er nichts abgreifen, was im etwas nützt. Also bekommt er maximal Benutzername und Passwort und bleibt außen vor.
Good news with FreeBSD 14. Quoting from its release notes, "The use of FIDO/U2F hardware authenticators has been enabled in ssh, using the new public key types ecdsa-sk and ed25519-sk, along with corresponding certificate types." 😍 🎉
One of the smaller features that came with Fedora 39 is passwordless authentication for centrally managed users!
Passkeys are a great way to boost the security of your accounts and infrastructure. This is a step toward increased adoption and flexibility with these tools.
hm. Do I spend $30 (after shipping) on another #2FA#U2F security key, but this one can store 50 #TOTP (as well as work as a standard #FIDO2#SecurityKey) entries.
Compared to #yubico#yubikey which is $50 (before shipping) and stores only 32 TOTP.
It'd only be around $22, but it apparently ships from Switzerland?
I’m quite impressed - it just works in most cases…
NitroKey3 NFC
OpenPGP over USB in Ubuntu using gnupg ✅
OpenPGP over NFC in Android using OpenKeychain ❌ simply no reaction
OpenPGP over USB-C in Android using OpenKeychain ❌ the app cannot recognise the key
WebAuthn over USB in Ubuntu ✅
SSH over USB using ssh-keygen ✅
SoloKeys v1
WebAuthn over USB in Ubuntu ✅
SSH over USB using ssh-keygen ✅
OpenPGP over USB in Ubuntu using gnupg ❌ device not recognised by GnuPG
SoloKeys v2
Haven’t got them to work, those I’ve purchased had faulty firmware and unable to upgrade or reflash. It seems like their development has been largely abandoned (per chat on Matrix channels).
Thinking about getting myself a #Yubikey, but I'm a little worried if newer technologies like #passkeys and #fido2 or whatever may be better? I honestly don't know much about the world of hardware keys for #authentication and #security stuff
Starting v23.35 of the Google Play services, support for #FIDO2 security keys protected with a pin code was added. This opens up new possibilities of cross devices usage of security keys and therefore device bound #passkeys