#webauthn
Na dann, testen wir mal den #GoogleTitan!
#TitanSecurityKey #2fa #twofactorauthentication #webauthn #fido2
This "BPoP" (Browser Proof of Possession) proposal out of Microsoft is really interesting! If you've bemoaned the loss of Token Binding then you owe it to yourself to read this explainer they just published:
https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/BindingContext/explainer.md
I think the tl;dr is "bind session tokens to browsers using browser-managed public-key cryptography."
And I'm excited by the idea as a potential solution to the question of, "how do we defend against session token theft after passkeys lock down credential theft as a vector of attack?" 🤔
If you've heard me talking about WebAuthn and "hints" recently it's been in reference to this https://blog.millerti.me/2023/11/15/webauthn-sneak-peek-hints/
Held my talk on #webauthn and #passkeys yesterday. I’d say it went pretty well. Got upgraded to the main stage due to the interest in the talk and I received positive feedback afterwards. Even the jokes that got to stay in seemed to have been appreciated.
Here’s some pictures from the event.
#security #conference #publicspeaking
@SmartAsABrick @captainslim I'm curious. Is there any documentation on what "discoverable" #WebAuthN credentials mean? Like in short, where can I read more about this?
My experience with #OnePlus has been anything but good over the last 3 years.
But the recent update to #OxygenOS made things really uncomfortable. I have no idea if the #nfc #securitykey issues are only related to my phone but OnePlus acknowledged them and seemingly is unable to fix it. But removing #BLE is a different story.
I have tried to contact the OnePlus support but they are not interested in supporting - just ticket number bingo!!
I have tried to write it up, not expecting any support. But maybe anyone here has an idea??? Any ideas are highly welcome!!
https://community.oneplus.com/thread/1459934996448935942
#fido #fido2 #securitykey #Passkey #oneplus #oxygenos #android13 #android13.1 #webauthn #nfc #bluetooth
My @nitrokey FIDO U2F has just died. Not their fault, it has opened by itself some months ago in a pocket that also contains my keys and I realized it after finding the electronic circuit on the floor.
Any recommendation for a passkeys-compatible replacement?
Preferably USB-A connection, NFC feature would be great too.
Unfortunately, I have to switch from #luakit back to #qutebrowser. Mostly because some websites don’t work at all but also because it doesn’t support #webauthn.
Today I finished the passwordless login for netfiles and integrated it with the new website that we are working on (well, we are "renovating" the whole product).
The integration consists of redirecting *to* the auth-server and redirecting back when the authentication was successful.
Of course this has to be secure and safe and nobody should be able to capture anything sensitive during these redirections (oAuth2.0-style).
It works beautifully and everybody now loves it.
How it works:
A website, let's say "netfiles.de", requires a logged-in user. It then sends the user to the auth-server with its own app-id as parameter. The app-id is unique for each website/app that wants to use the auth-server.
The auth-server then asks the user to enter a username. It then checks on the server if there is a passwordless-login registered for this user (passkey, yubikey, etc). If so, it tells the browser what the credentialID of those passwordless-logins are.
If not, it allows the user to login with username + password.
In the latter case, after logging the user in with username + password it asks the user whether they like to register passwordless login - before redirecting them back to the original website. The user has only the option of "yes" and "not yet" (I want to encourage the users to use passwordless).
When the user chooses "yes" (actually: "Register Passwordless"), then the browser + server, together, create a passwordless login and then the user is redirected to the target website.
If the user already has a passwordless login (Passkey, etc), then - after entering the username - they are offered the option to login passwordless. Depending on their OS's & browser's settings, they may then be required to have their fingerprint or face scanned, maybe even on a secondary device (mobile phone), or their yubikey attached, etc. Once that is done and they are authenticated, they are then redirected to the target website.
The flow is actually beautiful and fluid. My explanation above makes it sound complex, but it ain't. It is really simple and beautiful and I am hoping our users will love it.
We have so far tested it with Safari, Chrome, Edge, Firefox, Brave, Chromium on Windows, macOS, and iOS. It works beautifully (except I have to adjust the UI a bit on smartphones 😂)
I am really proud of the result.
And the security is even better than before, especially as we now don't transfer any passwords at all anymore and the authentication process is so safe as to be extremely difficult to hack (I am not gonna say impossible because I know that can never be true, but the cost of hacking it has become another order of magnitude higher than before).
Used technologies: #TypeScript #Couchbase #NodeJS #Nginx #Vue3 #Vuetify3 #WebAuthn #Passkey
Hacking #WebAuthn to abuse #passkeys and other authenticators for non-repudiation: to create digital signatures over arbitrary data that third parties can verify:
https://sanderdijkhuis.nl/2023/webauthn-sign/
Not intending to use this for real, but I was curious what would be needed to make it work.
How do passkeys work in third-party scenarios? Say you have a service S that logs into other accounts (A) on behalf of it users, who are the account holders. The users have passkeys for those accounts, but need to authorize S to access them (ideally with limited privileges, but not necessarily).
The user can’t give S their private key, obviously. Is it an OAuth type of thing, where they authenticate with A and generate an authentication token to be held by S? Does that end up being another passkey, with the private key held by S?
@PlaneSailingGames @GossiTheDog
I am no expert on #Webauthn but maybe some "pure-device-based-no-backup" attestation type could be added. But then, in turn, the relying party would need to require that and only that. Unlikely to happen.
Does this mean that relying parties might need to maintain "trusted" lists of attestation CAs in the future?
Here it would be unlikely that Google, Apple and Microsoft certificates will not be included on those lists by default.
pls help @kravietz :)
Anyone here going to Authenticate 2023 this week? I'm giving two talks tomorrow - "Demystifying WebAuthn and Passkeys," and "Tips for Painless Passkeys." Feel free to say hi if you see me there!
First with iOS 17, and now reports are trickling in as people upgrade to macOS Sonoma: people are getting frustrated that they are doggedly prompted by third-party providers to register passkeys when before they were already buying into iCloud Keychain. It seems due to the fact that the latest Apple OS's don't let users specify different providers for passwords and passkeys.
If you squint a bit you can imagine this driving people away from iCloud Keychain. If one were trying to be diligent about where all their passkeys are stored, and another provider nags enough, it seems likely they'd capitulate.
Maybe this is by design? Perhaps the majority of people only ever use the built-in provider. If 1Password/Dashlane/BitWarden/etc... users are a fraction of a fraction of a percent of users then I can see why platform responses to such outcry might be a resounding, "eh, deal with it."
...I wonder how these things are playing out on the Android side of things 🤔
I'm finally writing an #introduction toot LOL.
I'm "JJGadgets" online, you can call me JJ, everyone does.
My life is #tech, nothing brings me more joy and zen than sitting in front of my screens. Maybe except for Japanese food.
I use and prefer #linux for both server and desktop use, despite its flaws. I live in the #commandline. Been that way since I first jailbroke on iOS 5 and installed MobileTerminal.
I study #infosec but textbooks and lessons don't even come close to doing justice to what #infosec is all about. I like to think that I live and strive to live the infosec life, including my mindset. (After all, that's why @truxnell started calling me the "tinfoil hat sensei" LOL)
I do #Kubernetes @ Home, and maintain my cluster state in #git then apply it with tools like #FluxCD. My #homelab repo can be found at https://biohazard.jjgadgets.tech (will always 301 redirect to my latest Git remote of choice, in the event it changes). I think using #GitOps/IaC to declare desired security-related state (policies, rules etc) makes managing security a lot easier.
I try to follow "Principle of Least Privilege" for my homelab, and especially for Kubernetes security, using tools such as network policies (#netpols), policy engines, secrets management, identity management, strong #authentication, and access control. For example, my homelab Kubernetes cluster heavily uses netpols everywhere to default-deny and only allow the necessary network traffic for any given app to work.
I am also very interested in strong authentication methods such as #passwordless #fido2 / #webauthn (#yubikey and #passkeys) and where possible, I only enroll FIDO2 MFA, and choose the passwordless variant if available.
I try my best to use privacy-respecting software where possible, as I believe in maintaining transparency and control over the #privacy of people, regardless of online or offline.
I also believe in #opensource, too many times we've been shown the consequences of relying on closed source software, so where possible I always prefer open source.
Outside of the screen, admittedly I'm terrible at life stuff, and it's very hard for me to be interested in much of anything other than stuff on or related to a screen/device (I basically only talk tech stuff LOL). I'm working on changing that in the event I burnout hard again (though I still haven't found a non-tech interest yet, as of writing). I've burnt out multiple times despite still being a student, and thus I now (try to) take as much necessary measures as I can to avoid over-working, over-stressing or over-exerting myself.
That's about it, let's chat (or toot?)!
Understanding the #WebAuthn relying party ID (rpid) & #passkeys: config, domain matching & native apps
Read in my latest blog post, how the best set up of the rpID for your use case looks like:
https://www.corbado.com/blog/webauthn-relying-party-id-rpid-passkeys
I seem to have locked myself out of my #Yubikey 😩
So now if I want to use it as a #passkey I have to reset all my #2fa seeds.
Back when I first got it I thought I'd use it for #WebAuthN so I bought two but only Google, Amazon, and Microsoft supported that so I only use it for #TOTP really.
Maybe I'll just set up the second one now..
@hertg I kept the issue about "WebAuthn without JS" open in the WebAuthn spec repo specifically because I agree, passkeys should be usable in all the same places as the passwords we're intending them to replace. This would of course mean figuring out how to support making the WebAuthn requests and submitting the responses with just HTML elements.
I'd welcome yours and everyone else's feedback about this, in particular any proposals for what non-JS usage would practically look like:
@hertg my personal opinion is that for an #IdP it should work without JS because you have everything needed server-side AND you have a server.
For client-side-only apps though, that's where JS is allowed (and a must actually)
#javascript #identity #securitykeys #Passkeys #webauthn #iam #idp #openid #authentication #webdev
Requiring Javascript for Login Flows
The modern web and all its client-side code makes #javascript pretty much a requirement to surf the internet. Should #identity providers still go the extra step to make login flows work without javascript or is it reasonable to make JS a requirement?
Please comment if you want to add nuance, and thanks for sharing :)
btw. Google and Microsoft require JS for logins while Facebook, Amazon, and Github apparently don't. But JS obviously becomes a requirement once you use #securitykeys / #passkeys / #webauthn.
I've upgraded all of my WordPress sites to use #WebAuthn / #Passkey authentication exclusively. I think it's pretty cool, but it means that I hafta use Safari to log in. I'm willing to make that compromise.
I'd previously had both MFA and a plugin to lock out multiple failed login attempts, and still the attempts to brute force my passwords were redonkulous and unending.
1password has launched support for passkeys. Bitwarden’s original plan was to add support during the summer, but it has got postponed to October.
"Nintendo account used passkeys. It's super effective!" 🎉
This is surprisingly ahead of the curve for Nintendo, but as a die-hard fan I'm really happy to see them offer this! And it's not just for second-factor either 😌
https://en-americas-support.nintendo.com/app/answers/detail/a_id/62531
@tinnedsoftware @eingfoan
Hello Tinned and EINGFOAN,
Sure will!
The *first* article I plan to write will focus more towards application developers who wish to add #webauthn and #passkeys to their product.
My next project is to develop a client (browser javascript) side virtual authenticator for educational purposes. That would make for a good unit test, would it not?
@levischuck can't wait to read about it. 👍
I am trying to write about my journey as well. I hope people enjoy my thoughts and experience with the #FIDO, #webauthn , #securitykey topic. I know I enjoy digging into it. 😊
@levischuck @iamkale plesaaase tag it #webauthn #fido #yubikey
I hope #webauthn compliance will eventually make things bearable again.
(or even better, I dare hope)
This is why friends don’t let friends use TOTP. If a company you use doesn’t support #WebAuthn #FIDO2, ask them when they intend to resolve that risk to their customers. https://retool.com/blog/mfa-isnt-mfa/
Chrome Beta 118 on macOS 13.5+ can now access iCloud Keychain passkeys! This means we'll be able to create and auth with the same passkeys as Safari! 🎉
According to the Chrome roadmap, Version 118 is set to become the Stable release in the beginning of October:
If you want to turn this off for whatever reason you can go to chrome-extension://aeblfdkhhhdcdjpifhhbdiojplfjncoa/app/app.html#/page/settings#sectionAutofill (the Autofill section in the extension's settings) and uncheck the "Offer to save and sign in with passkeys" toggle:
Just a heads up, 1Password users: the browser extension just got updated with support for passkeys.
See the changelog for more info:
https://releases.1password.com/b5x/stable/#1password-in-the-browser-2.15.0
Webauthn questions:
1) When I create a passkey for a service, one of the options (on apple OSs, anyway) is to use a security key like a YubiKey. I assume that means I need to whip out my YubiKey every time I want to log into that service.
Yubico recommends buying more than one physical key, in case you lose the primary key you have a backup. But how do I back up a passkey I created through Apple UI with another YubiKey?
2) I see no way for a service to require both a passkey (with or without physical key) *and* a passphrase of some kind. Since I'm most likely carrying my YubiKey with my iPhone at all times, all someone needs to do is knock me out*, touch my finger to my phone (or hold it to my face), and log in to whatever. Requiring a passphrase to unlock my local private keychain is the only way to protect against this kind of attack, but I see no way to enforce that level of security.
*Mind you, I don't have access to anything I think anyone is willing to knock me out for, but who knows what a savvy street thug might learn to do opportunistically?
Trying my luck again.. 🙃
I’m the dev behind @buttercup, the open source password manager available for all major platforms. For some time it’s been a one person show, but I’d really like it not to be.
We get the odd contribution from the community but Buttercup would really benefit from having another founding member or two that want to help push the project forward into its next phase.
It’s all #OSS right now, with mixed licenses of MIT and GPL. We want to put out some SaaS so there’ll be some closed source in the future, which will hopefully support a small business, but the #FOSS side is one we want front and centre at all times. It’s what made us and we’re passionate about it.
It’s all #javascript and #typescript, with #react, #reactnative, #electron, #browserextensions etc. that make up the majority of the software.
We have some few thousand users, many hundreds of which are daily active.
We’re interested in adding a lot of new functionality: #webauthn, #Passkeys, #fido #fido2, #yubikey, #selfhosted and sharing.
If any of this sounds interesting to you, please give me a shout! We’re looking for someone that’d be interested in sharing ownership.
I’ve got some busy days ahead of me so if I don’t respond immediately I will as soon as I can. Here’s some places to react me:
- here 😎
- Keybase: keybase.io/perrymitchell
- @buttercup
#passwordmanager #passwordmanagement #password #passwords #vault #passwordvault #founder #LookingForHelp #desktop #mobile #software #programming
Speaking of Bitwarden… How do you know it still is summer? You cannot store passkeys in your Bitwarden vault yet.
SimpleWebAuthn v8.0.0 has been released! The highlight of this release: first-class Deno support, as well as unofficial support for CloudFlare Workers and Bun! Basically anything that can run JavaScript or TypeScript on the back end should now be able to pull in this project, including CommonJS and ECMAScript modules!
Check out the changelog, there are a couple of minor breaking changes:
https://github.com/MasterKale/SimpleWebAuthn/releases/tag/v8.0.0
And if you have a Deno project you've been wanting to use SimpleWebAuthn with (without having to resort to npm: specifiers) you can find the project on deno.land here:
https://deno.land/x/simplewebauthn@v8.0.0
Time to rest 😮💨
#simplewebauthn #node #nodejs #deno #bun #cloudflare #typescript #javascript #webauthn #passkeys #pnpm #lerna
Help me out, Deno devs. Which of the following URLs should I go with when I live with the new Deno support I'm adding to SimpleWebAuthn? The project will become available via https://deno.land/x.
(Without something like this you end up with a massive URL like https://deno.land/x/simplewebauthn/packages/server/src/index.ts since I have to publish the entire monorepo because deno.land is powered by per-repo webhooks.)
The NPM packages that get published already have ESM and CJS support for Node projects in either configuration. And with Cloudflare Workers and Bun both being Node-compatible you can just use the NPM packages like a normal Node project.
My vote is for the first option because these specific paths are specifically for Deno projects. Someone else is championing the second option because other projects looking to use the ESM version might want to use the same URL, and it'd be confusing to have /deno/ in it. But I'm not aware of any other runtimes now or coming up that do anything like Deno does with import {...} from 'https://example.com/x/modulename/src/index.ts. Maybe I'm missing something?
Anyway thanks for helping me out with this. This'll be the first module I've ever published to Deno after three years of the project being Node-only and naming things is hard 🙃
#deno #node #typescript #javascript #webauthn #simplewebauthn
Passkeys align security with the individuals it benefits. Apple, Google, and Microsoft provide their own passkeys now, but the cross platform story remains underserved. Third party password managers have been good enough for many people, I believe it is okay to have passkeys come from those too as they serve individuals across platforms.
https://cendyne.dev/posts/2023-08-21-passkeys-in-password-managers-is-okay.html
The CCC FIDO2 / webauthn talk was great.
Though this specific slide and the words that went with it are not true.
Registration receives but does not use a nonce for key generation, it is used for authentication attestations when requested. The authenticator is responsible for its own randomness when generating key material.
See CTAP 2.1 section 6.1. authenticatorMakeCredential Algorithm step 16, the make credential operation does not take this information. Instead CTAP 2.1 section 6.2. authenticatorGetAssertion algorithm step 13 with clientDataHash
#FIDO2 - the superior Multi Factor #Authentication Framework
https://media.ccc.de/v/camp2023-57174-fido2
(50min) by @cy
Great overview/intro talk about #2FA using #WebAuthN, hardware security tokens, #TOTP and #passkeys.
Furthermore: why FIDO2 does have some advantages compared to passkeys when #security is more important than convenience. Passkeys leaks your private key to the #cloud provider.
Who here likes hardware-backed end-to-end message encryption, in the browser? Have I got a fun toy for you!
When I first discovered WebAuthn in 2019 I imagined it being used for something like this, but never imagined something like the prf extension enabling true E2EE like this. Everything happens in the browser; there's no server used in any of this because to me that defeated the purpose. I also challenged myself to make a decent UX on top of this because what good is strong encryption if it's not usable?
For best results make sure you're using Chrome 116 and a recent FIDO2 security key.
(I'm also trying to figure out how things get noticed on Hacker News, so if you participate over there here's the Show HN, upvotes appreciated: https://news.ycombinator.com/item?id=37148972)
I put to paper an idea about how security keys can still be useful as passkeys move everyone to using platform authenticators in a way that disadvantages security keys:
https://blog.millerti.me/2023/07/30/security-keys-in-the-land-of-passkeys/
I've decided to implement multi-auth on my #mastodon client https://schizo.social
Currently it lets you auth with one account at a time, and the #oauth token this creates is stored in the session and destroyed when you log out.
I don't want the user to have to re-authenticate all their accounts each time they start a new session.
So I could let them create a new email/pass auth method, and then store their various mastodon tokens in the db. Maybe #passkeys or #webauthn?
Surprise surprise, TikTok's getting onboard the passkeys train! 🚂🔐 🎉
Programming note, devise-passkeys 0.2.0 is out: https://github.com/ruby-passkeys/devise-passkeys/releases/tag/v0.2.0
It's got some bug fixes & documentation, but more importantly, some outside contributors!! Thanks so much to everyone who's helped out so far: https://github.com/ruby-passkeys/devise-passkeys/blob/v0.2.0/THANKS.md#contributors
#rails #passkeys #WebAuthn #InfoSec #passwordless #RubyOnRails #ruby
Question about implementation of #Passkeys. As I understand it, having a user login with passkey but without UV (User Verification) is not necessarily MFA as it could just be a stolen security key (Something you have).
How is (or should) #MFA with Passkeys implemented in practice? By setting UV as "required"? Or by setting UV as "preferred" and then based on the user response prompt for another factor (eg. #TOTP) in case there was no UV? I am a bit confused about how to fit Passkeys into the current #authentication logic.
#passwords #fido #fido2 #webauthn #identitymanagement #iam #oauth #openid
Oh cool, paypal seems to support WebAutn now.
Started building my first example application for #webauthn and #passkeys with CakePHP. My initial thought is that this is very cool. An end to phishing and account takeovers will be wonderful. But also, wow this is way more complicated and will take really good libraries to make this accessible for mass adoption.
I wrote a #blog #post about #passkeys what do you think?
https://www.elliotali.com/passkeys/
Today I learned about the Web Authentication API (WebAuthn):
A way to authenticate to sites with public key cryptography (no passwords sent).
@schizanon @colepeters @enhance_dev Cool, glad it was useful. We are looking at other authentication methods but the simple password made sense for the blog template. #WebAuthN is on the list.
Let us know if you have any questions on RSS or webmentions. I'm going to stand up an app that you can test webmentions against next week 🤞
I was skeptical about 1Password's support for being a second factor (https://support.1password.com/one-time-passwords/), since it's also holding my first factor. But then a couple websites have insisted that I turn on #2FA (never #WebAuthn of course), where I don't care that much about the account, and I don't want to get out my phone every time. #1Password is perfect for that.
I decided to implement #WebAuthN to #authenticate on my site.
This is my first time using the navigator.credentials #API. Anyone got any good articles or tips for me?
#webDevelopment #webDev #frontend #credentials #web #browser #auth #authentication #login
Passwords, multiple authentication factors: everything you want to know but are truly afraid to ask...
The full text: https://writefreely.mrnet.pt/pls/lets-talk-about-safer-authentication-the-good-bad-and-the-ugly
#authentication #hotp #totp #FIDO #FIDO2 #passkeys #webauthn #u2f #2fa #passwords #security
Great news, #Firefox 112 will enable its new FIDO2 support by default! This means that #WebAuthn users on #macOS can finally start going #passwordless with security keys 🎉
And some of you keeping track at home will be happy to hear that residentKey: "preferred" will NOT create a discoverable credential on security keys. You have to specify "required" instead if you want the user to register device-bound #passkeys (which is how I want ALL browsers to behave cough*Chrome*cough)
I guess this is what I was afraid of with #WebAuthn https://sec.okta.com/articles/2020/04/webauthn-great-and-it-sucks
tl,dr: No one is implementing it other than for 2FA.
Hey #WebAuthn relying parties, I did a bit of experimenting last night and documented which value in PublicKeyCredentialUserEntity browsers and OS's use to help disambiguate #passkeys that your users enroll. If you support multiple deployments then you'll want to know this! 🔎
has someone worked with webauthn in here? i’m trying to test my code on localhost (rp_id localhost, allowed origin http://localhost:8080) but no matter what i do i am just getting the following error:
NotAllowedError: CredentialContainer request is not allowed.
@rmondello @glyph Apple may have been first-to-market with a consumer-facing authentication feature called "passkeys", but statements like "Apple coined the term" are going to create confusion in this space as passkeys continue to gain traction because it implies that Apple owns the word.
I know you know this, but for everyone else in the room: "#passkeys" aren't intended to be vendor-specific; it's an evolution of the use of #WebAuthn that solves the API's historic account recovery problem. There are implementations of passkeys (e.g. "Apple's implementation of passkeys", "Google's support for passkeys", "Microsoft's version of passkeys"), but they're all supposed to be supporting the same standards-based API's and primitives.
If this is to have any chance of truly replacing passwords, then shouldn't it be through the FIDO Alliance, the organization created to push for and evolve this technology, and to which all three major platform vendors have joined as members, that influence is exerted to decide on a common definition?
Ok total shot in the dark here:
Does anyone know how to change the default login method of keycloak so it asks for a passkey first rather than a user/password?
It is pretty neat that I can use passkeys but the flow of: click small "try another way" -> click passkey -> click button to activate passkey prompt is kinda not smooth.
Can it it be done without writing a theme because that sounds like a total fragile pain.
#keycloak #SysAdmin #PassKey #WebAuthN