|
Top-level
 Another nice feature of FIDO U2F is that credentials are bound to an origin, in order to prevent phishing. A website can't simply say to your token "please sign the login for user ID XY". Instead, the browser will also include the origin (host name & port) to that request, allowing the token to check whether the requested keypair is indeed associated to that origin. In case the website stores the encrypted private key, it also stores this information (decryptable by the registered token only). 2 comments
And one more thing: The credentials that your token provides to the website during the registration process are signed by an "attestation key" created by the manufacturer, to prove its origin. This allows the website to check what kind of token you have, and if it's a hardware token at all. That's useful so that sites with high security requirements can for example require that you're really using a hardware token, instead of storing the passkey in your cloud-synced password manager. |
Gregory's Server
Note that the website you're trying to log in to can only request specific U2F signatures from your token once it knows who you're trying to sign in as.
That's why this only works as a _second_ factor, after username & password.
FIDO2 WebAuthn passkeys on the other hand can be used as a _single_ factor, _replacing_ username & password.
Here, the browser asks the token for the keypair(s) associated with that website – "infinite storage" is no longer possible.
https://developers.yubico.com/Passkeys/Passkey_concepts/Discoverable_vs_non-discoverable_credentials.html
Note that the website you're trying to log in to can only request specific U2F signatures from your token once it knows who you're trying to sign in as.
That's why this only works as a _second_ factor, after username & password.
FIDO2 WebAuthn passkeys on the other hand can be used as a _single_ factor, _replacing_ username & password.