Webauthn questions:

1) When I create a passkey for a service, one of the options (on apple OSs, anyway) is to use a security key like a YubiKey. I assume that means I need to whip out my YubiKey every time I want to log into that service.

Yubico recommends buying more than one physical key, in case you lose the primary key you have a backup. But how do I back up a passkey I created through Apple UI with another YubiKey?

2) I see no way for a service to require both a passkey (with or without physical key) *and* a passphrase of some kind. Since I'm most likely carrying my YubiKey with my iPhone at all times, all someone needs to do is knock me out*, touch my finger to my phone (or hold it to my face), and log in to whatever. Requiring a passphrase to unlock my local private keychain is the only way to protect against this kind of attack, but I see no way to enforce that level of security.

*Mind you, I don't have access to anything I think anyone is willing to knock me out for, but who knows what a savvy street thug might learn to do opportunistically?

#webauthn #passkey #yubikey

Speaking of Bitwarden… How do you know it still is summer? You cannot store passkeys in your Bitwarden vault yet.

https://twitter.com/Bitwarden/status/1661439451313176578

#bitwarden #passkeys #webauthn #floss #foss #opensource

Speaking of Bitwarden… How do you know it still is summer? I cannot store passkeys in my Bitwarden vault yet.

https://twitter.com/Bitwarden/status/1661439451313176578

#bitwarden #passkeys #webauthn #floss #foss #opensource

@eingfoan did a POC with Neowave cards that went live afterwards. Main target population was warehouse workers on shared workstations. Worked like a charm 👌
https://neowave.fr/en/products/fido-range/badgeo-nfc-fido-2/
#fido #webauthn #pki #security #2fa #fido2 #nostick #contactless

My #solokeys V2 arrived today

Time to get nerdy with it 🤩

#fido2 #WebAuthn #Linux #LUKS

Just got notified my #solokeys V2 I backed in 2021 are arriving this week 🤩

I’ll finally be able to do all the nerdy things with #Linux, #LUKS, sudo, #fido2 and #WebAuthn again

Got a brand new Yubikey. My previous Neo model will now be the backup. I've finally got two keys, after 5 years 😄 that should be safer in case I lose the main one. I've started registering it as a security key wherever I used to have the Neo.
Turns out my Neo was previously registered as a security key at Google, but I deleted it and it won't accept it back, it tells me to try another model 😕. Also, could not add two security keys to Paypal, it only accepts one.
#webauthn #twofactor #yubikey

I've decided to implement multi-auth on my #mastodon client https://schizo.social

Currently it lets you auth with one account at a time, and the token this creates is stored in the session and destroyed when you log out.

I don't want the user to have to re-authenticate all their accounts each time they start a new session.

So I could let them create a new email/pass auth method, and then store their various mastodon tokens in the db. Maybe #passkeys or #webauthn?

"How Hype Will Turn Your Security Key Into Junk"

https://fy.blackhats.net.au/blog/2023-02-02-how-hype-will-turn-your-security-key-into-junk/

#security #authentication #passkeys #webauthn #yubikeys #hardwarekey

Programming note, devise-passkeys 0.2.0 is out: https://github.com/ruby-passkeys/devise-passkeys/releases/tag/v0.2.0

It's got some bug fixes & documentation, but more importantly, some outside contributors!! Thanks so much to everyone who's helped out so far: https://github.com/ruby-passkeys/devise-passkeys/blob/v0.2.0/THANKS.md#contributors

#rails #passkeys #WebAuthn #InfoSec #passwordless #RubyOnRails #ruby

@freelock

Won't be there, but very interested in the topic. Is it recorded?

#lfnw #drupal #sso #webauthn

For anyone else like me using a #Yubikey or other #webauthn #2FA in #Firefox who just had it recently start prompting for a PIN when it shouldn't be, apparently the is a bug, and the workaround here helped me:
https://support.nitrokey.com/t/fido2-firefox-asks-for-a-device-pin-that-i-never-set/4927

I'm not sure if this is an issue with the most recent Firefox version for #Linux or just the current #linuxMint package.

The main problem I see with #WebAuthn is that integrating it into basically any other browser than #Nyxt in a useful system-interacting fashion is going to be beyond obnoxious.

By system-interacting, I mean that I should be able to make a gateway to store the keys on another qube and have client qubes only being able to query it.

👥 @w3c FIDO Alliance, and EMVCo work together in the Web Payment Security #InterestGroup to develop interoperable specifications. SPC is built on #WebAuthn and integrated into EMV® 3-D Secure and EMV® Secure Remote Commerce. #Collaboration

"Passkeys - Threat modeling and implementation considerations"

https://www.slashid.dev/blog/passkeys-security-implementation/

#security #authentication #webauthn #passkeys

@AnthonyCollette So, 32 random characters in the low-order ASCII set should suffice?

Wait, why are we still using "passwords" again? Don't we have cryptographically secure mechanisms? (Pretty sure we do.)

[I haven't had to run monitoring (fail2ban), pointlessly obfuscate port numbers, or just worry about SSH since I switched to only permitting cryptographic authentication… with 8192-bit RSA (these days, elliptic curve) around the mid-90's.]

https://webauthn.io #WebAuthN #U2F #security

next up, tailscale login.

Use Google, Microsoft, Github, Apple, Okta, Onelogin, custom #OIDC

new: passkeys, tied to device or keychain, based on #WebAuthN in browser

use "second factor" as primary factor.

demo ensues. "Sign in with passkey". Demo 1 fails. Demo 2 succeeds. Demo 3 uses hardware security key, works the first time.

"If you have enough demos, one of them has to work."

Replace passwords!

[ @tailscale #tailscaleup #tailscale ]

"Understanding Passkeys"

https://michal.sapka.me/2023/passkeys/

#security #webauthn #passkeys

Oh cool, paypal seems to support WebAutn now.

#fido2 #security #securitykey #webauthn

Eh, better in some aspects than #Brave, needs work on fingerprinting. The fact tha itt is a collab wi #Tor is nice but cannae access .onion sites. Dosnae accept #WebAuthn oot the box, but that can be remedied in the about:config settings. #Mullvad #MullvadBrowser #Privacy #CyberSec #Linux #ArchLinux #ArchBTW