@cy Wobei du ja mit "#passkeys ist wie #WebAuthn nur dass man die Kontolle über die private-keys an Apple/Microsoft abtritt" schon alles gesagt hast, was man eigentlich nicht unbedingt hören will 🥺 Sobald es da was #selfhosted gibt bin ich wieder dabei.

Im @fedora #FedoraMagazine erschien am Freitag mein umfassender Artikel zu einigen Einsatzmöglichkeiten von #YubiKey|s (und vergleichbaren Hardware Security Tokens)

https://fedoramagazine.org/how-to-use-a-yubikey-with-fedora-linux/ (Englisch)

#piv #fido #fido2 #u2f #webauthn #pam #sudo #openssh #ssh

@LWN Also I'm really hyped about #passkeys, basically multi-device #WebAuthn tokens that are synched through your password^H^H^H^Hkey manager.

Differences are:

1. Always generated and unique
2. Public/Private keypair
3. Logging in through challenge-and-response API

While (1) can mostly be covered through using a proper password manager with a password generator, (2) solves the issue of password hashes being leaked and (3) the issue of you getting phished since the server must authenticate to the device as part of the process AFAICT. The days of forged fake websites are over!

Obviously, single-device tokens (aka #FIDO keys) are still great to have around but since this is based on the same protocol, support for that will go up as well. And single-device tokens are good enough for most™ of the users as long as the credentials are unique, irretrievable through database leaks and unphishable as passkeys are.

And it works outside the web just as well, using the mentioned sssd/FreeIPA in the talk!

My next #FedoraMagazine article will detail how to setup a #YubiKey for things like #Gnome login, authenticating against #sudo, #OpenSSH or as an #OTP / #WebAuthn factor in web authentication.

I ask you to share details and questions you'd like addressed in the article.

If you have some interesting other use-cases or bit's of knowledge you'd like to share on the matter I'm eager to here them!

@davemark P.S. Remote attestation also worsens your anonymity. If you use the same security key with two different accounts that require remote attestation, the service provider will be able to tell that both accounts used a key from the same batch. #WebAuthn

@davemark It's a shame that they require "a FIDO® Certified security key". That means that they are using remote attestation and you can't freely choose your physical key or make your own. IMO there should be an option to disable it for people who understand the security implications. #WebAuthn

Going #passwordless. Have a look at our latest blog article for the status quo and outlook. What's your view on the future of authentication? 🤓 #FIDO2 #WebAuthn

https://www.nitrokey.com/blog/2022/fido2-webauthn-passkeys-2022-and-2023

#ClassQuiz now supports #2fa with #webauthn (#passkey s) and #totp! Go ahead and activate it now!

Referenced link: http://cs.co/60183Djiw
Originally posted by Duo Security / @duosec@twitter.com: https://twitter.com/duosec/status/1600943476652253197#m

Nick Steele shares an inside look at the importance of #WebAuthn as a shared standard towards making #passwordless accessible for all.

🎥 Get the full story in our documentary, The Life and Death of Passwords: http://cs.co/60183Djiw

Wanna know where you can use your Nitrokey for two-factor authentication? With https://www.dongleauth.com you can look up (and add) the websites that are supporting #2FA or #FIDO2 #WebAuthn.

Which website has the best #2FA user experience in your point of view?

#opensource

Wanna know where you can use your Nitrokey for two-factor authentication? With dongleauth.com you can look up (and add) the websites that are supporting #2FA or #FIDO2 #WebAuthn.

Which website has the best #2FA user experience in your point of view?

#opensource

It’s not full #passkey support replacing passcodes for login, but it looks like recent releases of Mastodon support #WebAuthn for #2FA. If you’re running a recent release of #iOS or #Android you can use your device’s #biometric or passcode auth instead of having to type a 6 digit code #OTP each new login. It’s a bit more secure and un-phishable:

Once logged in to your account, you can add it via https://<your-instance-domain>/settings/two_factor_authentication_methods as “Add New Security Key”

It’s not full #passkey support replacing passcodes for login, but it looks like recent releases of Mastodon support #WebAuthn for #2FA. If you’re running a recent release of #iOS or #Android and are tired of entering #OneTimePasscodes on log in, check it out. It’s a bit more secure and un-phishable:

Once logged in to your account, you can add it via https://<your-instance-domain>/settings/two_factor_authentication_methods as “Add New Security Key”

How we boosted WebAuthn adoption from 20 percent to 93 percent in two days // #security #WebAuthn
https://about.gitlab.com/blog/2022/11/09/how-we-boosted-webauthn-adoption-from-20-percent-to-93-percent-in-2-days/

Rooted my ancient #android to emulate a #WebAuthn / #FIBO device only to find out that it doesn't support #ConfigFS 😢

I need a phone upgrade

#lineageOS #lifeOfADev

@vyivel That's difficult to answer. The login+password pair only counts as one factor in "two-factor authentication". (You can also have a user-verifying #WebAuthn token that doesn't use a login or a password, and that counts as two factors.)

I think you should store both in a secure manner, but the password is definitely the more sensitive part and you need to change it when disclosed.

If you want to push passwordless authentication using #FIDO / #FIDO2 / #WebAuthn, my recommendation is this:

Make user freedom, privacy, and open source the number 1 through 3 priorities.

Let people use Big Tech phones, rooted phones, Linux phones, old ThinkPads, YubiKeys, SoloKeys, software emulation, whatever. Do not collect or share more data than necessary. And support FOSS so that people can adapt the tools to suit them.

Just saw the term "passkey" in relation to #FIDO, and by extension #WebAuthn.

If my guess is right, this is a synonym for "public key credential source", in which case good job, this new name sounds much better!

I'm getting a little giddy reading a proposal for #NomadicIdentities in #ActivityPub using #IPFS

That combined with #WebAuthN could maybe even make switching servers truly a few clicks

https://quanta.wiki/n/decentralized-identity

Does anybody know how to backup and transfers #webAuthN identities? I probably missed it in the spec, but somehow the private key has to be accessed.

https://w3c.github.io/webauthn/#sctn-usecase-new-device-registration

#askFedi #security