Email or username:

Password:

Forgot your password?
Top-level
scy

Note that the website you're trying to log in to can only request specific U2F signatures from your token once it knows who you're trying to sign in as.

That's why this only works as a _second_ factor, after username & password.

FIDO2 WebAuthn passkeys on the other hand can be used as a _single_ factor, _replacing_ username & password.

Here, the browser asks the token for the keypair(s) associated with that website – "infinite storage" is no longer possible.

developers.yubico.com/Passkeys

1 comment
scy

And one more thing: The credentials that your token provides to the website during the registration process are signed by an "attestation key" created by the manufacturer, to prove its origin.

This allows the website to check what kind of token you have, and if it's a hardware token at all.

That's useful so that sites with high security requirements can for example require that you're really using a hardware token, instead of storing the passkey in your cloud-synced password manager.

Go Up