Attention Python WebAuthn devs: I'm contemplating removing Pydantic as a dependency of py_webauthn due to maintenance burden related to the Pydantic v2 update. For more context, and to chime in with your support or questions, please check out the following GitHub issue:
I've got a PR open too that has all the work completed, I'm just waiting a few days now to see if anyone has compelling reasons now to move forward with this:
Hier wird auch auf #Passkeys referenziert. Ich persönlich bevorzuge #FIDO2 gegenüber Passkeys, wenn ich sowieso schon einen FIDO2-Token besitze und ich nicht will, dass mein Passkeys-Geheimnis ausgelesen werden kann, was bei FIDO2 nicht der Fall ist.
Wenn man keinen FIDO2-Token hat, hat Passkeys durchaus Vorteile, da es (wie FIDO2) auch gegen Phishing schützt
Random crypto/infosec tip because it came up independently multiple times the last days:
Do not, I repeat, do not hash passwords on the client before sending them to the server. The right way to do this is to send (username, password) to the server. There the server does a DB lookup based on the username, retrieves the stored hash, hashes the received password and compares them:
Notice that this scheme does not protect against a MITM Mallory who can listen to the conversation, they could just retrieve the password. It does, however, help against an attacker Eve who has retrieved your server's database.
Now, if you'd hash the password on the client, would that help against Mallory? No because they'd just MITM the transmitted hash and replay that. Even worse though, since the server suddenly accepts password hashes, Eve's Database dump is actually useful because they can use the retrieved hashes to log in to any account.
Also, don't use passwords for auth. Use #Passkeys. But that's a different story 0:-)
Wow, the comments on my article on #Passkeys in the German #iX/#heise has shown me a lot of misconceptions people have:
No, you don't need to synchronize Passkeys
nor do you need to use Google/MS/Apple
nor is storing an encrypted binary blob a big danger
Passkeys aren't just autofilled #passwords: they use challenge auth, not shared secrets!
#TOTP 's aren't better because they're a real #2FA. Actually they suck against #phishing.
A secure enclave can still be used, but it's mostly used for decrypting the keychain, not storing it
You can still use #YubiKey 's, either with discoverable creds (uses 1 slot each) or non-discoverable creds (1 slot for all Passkeys)
Generally, I think the term 2FA is misleading. Not all 2FA is created equal. One could even argue that Passkeys are "less" 2FA than Password+TOTP -- and yet, it's more secure in most attacks because it can't be phished.
A lot of people seem to think that the more annoying and difficult to use a technology is, the more secure it is. We have the same problem with passwords and their complexity. We humans suck at guessing how secure something is through intuition.
Alle reden von #Passkeys und ich frage mich ob das technisch etwas anderes ist als Smartcards, die es ja schon ewig gibt und die man auch schon ewig im Web benutzen könnte.
#Passkeys with Windows Hello are really cool. I set it up with my surface studio's camera (I know, I know) and since it's WINDOWS storing the passkey, not the browser, I set it up in Chrome and it works in #Firefox with 0 input on my part!!
This "BPoP" (Browser Proof of Possession) proposal out of Microsoft is really interesting! If you've bemoaned the loss of Token Binding then you owe it to yourself to read this explainer they just published:
I think the tl;dr is "bind session tokens to browsers using browser-managed public-key cryptography."
And I'm excited by the idea as a potential solution to the question of, "how do we defend against session token theft after passkeys lock down credential theft as a vector of attack?" 🤔
ich bin ja immer noch hin und her gerissen, was diese FIDO Sticks angeht. Für Profis, die wissen wie man damit umgeht und weitere Sicherheitsmechanismen nutzen, sind die ok.
Für den typischen Enduser, der es einfach haben möchte, taugen die nichts. In den meißten Anleitungen wird nicht darauf hingewiesen, dass man manuell einen PIN für den Key setzen und einen Backup Key einrichten sollte.
Ohne PIN -> schlecht.
Wenn der Key kaputt/weg ist -> schlecht.
@isAutonomous
Ich glaube diese #passkeys könnten das Rennen für die meisten "normalen" Endanwender machen.
Aber ich habe (noch?) kein gutes Gefühl dabei, wenn meine privaten keys meinen Rechner verlassen und auf fremden Rechnern ("Cloud") gespeichert werden. Warum kann ich die nicht einfach als "Pro" in meiner Private Cloud oder auf meinen Rechnern speichern? Warum MUSS ich sie mit dem sichersten Passwort aller Zeiten besonders gut absichern? Oder werde ich auch weiterhin 100-stellige zufällig generierte Passwörter mit zweitem Faktor nutzen? 🤔