TIL: The #YubiKey 5 supports setting a PIN for additional #U2F security – but only the FIPS models, not the normal ones, and only in FIPS Level 1; in Level 2 U2F is forbidden entirely and only FIDO2 can be used.
Today I finally sat down to learn how #FIDO#U2F keys support an "unlimited" number of websites on a single token, without compromising privacy, and without running out of memory on the token.
Reusing the same public/private keypair would allow websites to track tokens. So, the token generates a new keypair on each registration. But where is it stored?
With the website! The token encrypts the private key with a token-specific secret and receives it back from the website on each login request.
@jsrailton Only FIDO2 and Passkeys are protecting against #phishing attacks.
Caution: #Passkeys might copy your secret into the service provider's cloud for convenience and backup purposes.
IMHO, #FIDO2 hardware tokens are the only non plus ultra for authentication security since they protect your secrets in hardware without the possibility of "backups" to the cloud.
hm. Do I spend $30 (after shipping) on another #2FA#U2F security key, but this one can store 50 #TOTP (as well as work as a standard #FIDO2#SecurityKey) entries.
Compared to #yubico#yubikey which is $50 (before shipping) and stores only 32 TOTP.
It'd only be around $22, but it apparently ships from Switzerland?
I hope this gains similar traction as #FIDO2/#WebAuthn/#U2F/#CTAP support in browsers, especially with the recent push for #Passkeys, as smart cards are very widely deployed in orgs and slimming down the stack would definitely be a win here.
This article shows how to use [#systemd #cryptenroll together with] either a #TPM2 chip or a #FIDO #U2F security key as an alternative factor to the passphrase when unlocking your [#Linux] #LUKS partitions.
Newbie question: what is best #mfa#authentication method for #offline networks? I am playing around with a lab environment where I want good mfa inside but don’t want it to connect to the internet. My current point of view is: I can not place #Fido there since it „needs“ internet in many ways.. right? . My current way of thinking is i build a PKI into this network and use it with #yubikey acting as a Smartcard but not #u2f or #fido2 . Am I wrong ? Is there better options?
Schreibe momentan an einem Artikel zu FIDO2 / U2F Sicherheitsschlüsseln wie SoloKey2, YubiKey5 oder NitroKey3.
Es wird darum gehen wie diese Keys mit standard tools eingerichtet und für Login in Linux oder OpenSSH eingesetzt werden können (am beispiel Fedora Linux). Vielleicht nehme ich auch gleich LUKS decryption mit auf, sonst kommt das hinterher
Habt ihr ein besonderes Interesse bzw. Fragen auf die ich besonderen Wert legen soll?
The FIDO specification defines a form of Universal 2nd Factor (U2F) when users log in to a system. Rather than relying on one-time codes sent via SMS, or displayed on a phone screen, these are physical hardware tokens which are used to supplement passwords. When used with websites, this technology is also known as WebAuthn.