@scy the most current implementation would be fido2...

@scy the most current implementation would be fido2 non-discoverable keys. And you should have come to my cccamp talk so you would have known in summer already :-)

I'll go over it in a fresh version at gpn22 I think

Like 23 March at 19:21 | Wall-to-wall | Open on chaos.social

5 comments

Chris

@scy NVM should have gone further down your thread 🙂

23 March at 19:23 | Open on chaos.social

scy

@cy Yeah, I was reading about this in, let's say, chronological order. Which means I learned about U2F first, then went on with FIDO2, got sidetracked and read about passkeys 🙃

So, can I assume from your reply that FIDO2 ND keys work basically the same like U2F? Any relevant differences?

23 March at 19:27 | Open on chaos.social

Chris

@scy u2f is only usable as 2nd factor, as you said before. Fido2 forces "user verification", like at least clicking the key to show you are at the machine physically (as in MFA, "own" the key), whereas u2f works without (there are u2f keys without button).
aside of that the ctap protocol is different, so the handling of the authenticator on the client machine. Afaik there is more configuration the server admin can force on the client, like which authenticators are allowed.

24 March at 6:03 | Open on chaos.social

Chris

@scy if you only use passkey as second factor, you should be fine with an old u2f device
(While still being phishing proof, in comparison to all the totp and notification apps).

24 March at 6:07 | Open on chaos.social

scy

@cy Thanks for elaborating!

24 March at 10:18 | Open on chaos.social