WebAuthn now a standard
-
Well with WebAuthn being approved, it just means that recovery methods need to be enforced as well.
Security questions, secondary biometrics or something else would need to be enforced to ensure people aren't losing access to their accounts because they lose their Yubikey or mobile 2fa device.
-
Yeah, having not read it yet - this sound similar to something else I've tried...
How do you manage your identity across multiple devices? what about public devices? shared devices?
-
@JaredBusch said in WebAuthn now a standard:
In the short term, places like ML will enable WebAuthn and what? We load a public key of some type from our browser into our profile.
Hopefully browsers will make the private side hard to pull out of them. Most people will not use a yubikey or anything. It way too easy to lose and then where are you ?
The thing is, it doesn't follow you as easily as a username and password, and on the other hand, depending on the client-side implementation it means there's literally no barrier when it comes to a shared computer†. If the device that stores the keys also automagically generates/stores them initially then OK, but moving beyond that what do you do then?
It's like OpenID, while seemingly apparently simple, until you try to explain it to a user.
Or more of a closer analogy are stored SSH keys, if you're logged into the machine, then you have a free for all. Hell, just open PuTTY and you're authenticated (assuming keys are stored).
†Of course, you can add key phrases to your private keys but if you're doing that, what in the hell was the point of going down that road in the first place?
Note, I'm speaking totally independently of any security benefits of internet-facing services using keys vs classical logins, so let's not start a whole thing SAM
-
@tonyshowoff said in WebAuthn now a standard:
†Of course, you can add key phrases to your private keys but if you're doing that, what in the hell was the point of going down that road in the first place?
I thought the idea was to help eliminate passwords flying all over the internet. With something like a key phrase on a private key, that password should never leave your computer... but I'm relatively certain that's not how this is going to work, lol.
-
@dafyre said in WebAuthn now a standard:
@tonyshowoff said in WebAuthn now a standard:
†Of course, you can add key phrases to your private keys but if you're doing that, what in the hell was the point of going down that road in the first place?
I thought the idea was to help eliminate passwords flying all over the internet. With something like a key phrase on a private key, that password should never leave your computer... but I'm relatively certain that's not how this is going to work, lol.
With SSL it wouldn't make any difference anyway. And no your passphrase for your generated private key would not have the password sent, rather it's in order to use the key file at all.
-
Portability is the major hassle here.
If it all boils down to using something like a YubiKey, great - but how do you use a YubiKey on your phone?
-
My advice on WebAuthn is: wait until the next version of the standard when they iron out all the things they could have avoided had they done an RFC rather than just announcing it like a bunch of jackasses.
Pun indended: FIDO(2) is dog shit
-
@Dashrender said in WebAuthn now a standard:
Portability is the major hassle here.
If it all boils down to using something like a YubiKey, great - but how do you use a YubiKey on your phone?
Well you wouldn't use be required to use only a Yubikey, you can have Google Authenticator attached to your account as well. Allowing you multiple ways to login to your account.
-
@tonyshowoff said in WebAuthn now a standard:
My advice on WebAuthn is: wait until the next version of the standard when they iron out all the things they could have avoided had they done an RFC rather than just announcing it like a bunch of jackasses.
Pun indended: FIDO(2) is dog shit
What don't you like about FIDO(2)?
-
@Dashrender said in WebAuthn now a standard:
@tonyshowoff said in WebAuthn now a standard:
My advice on WebAuthn is: wait until the next version of the standard when they iron out all the things they could have avoided had they done an RFC rather than just announcing it like a bunch of jackasses.
Pun indended: FIDO(2) is dog shit
What don't you like about FIDO(2)?
It extends from the lack of an RFC, because they require implementation of already broken/obsolete RSA models. Of course their answer to this issue is "don't use them", which is utterly retarded.
At the end of the day, the simplest is this: they're pushing it for mobile, if you lose your device or somehow don't have access to your private keys, you can't login, pure and simple.
-
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
-
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.
-
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
I finally watched the video - and while they didn't explain it, they did show it.
-
@stacksofplates said in WebAuthn now a standard:
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.
So there's a way to export the private key out of the YubiKey? or the sites allows for multiple public keys?
-
@Dashrender said in WebAuthn now a standard:
@stacksofplates said in WebAuthn now a standard:
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.
So there's a way to export the private key out of the YubiKey? or the sites allows for multiple public keys?
Huh? You scan the QR code like you normally would but it stores it on the Yubikey instead. Then when you need the code you either tap it to your phone and it shows you all of the one time codes or you do it on your computer. Just like how Google authenticator works. For the u2f stuff, it works the same on Android as on your pc. The browser needs to support u2f and it does the challenge response.
-
@stacksofplates said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
@stacksofplates said in WebAuthn now a standard:
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.
So there's a way to export the private key out of the YubiKey? or the sites allows for multiple public keys?
Huh? You scan the QR code like you normally would but it stores it on the Yubikey instead. Then when you need the code you either tap it to your phone and it shows you all of the one time codes or you do it on your computer. Just like how Google authenticator works. For the u2f stuff, it works the same on Android as on your pc. The browser needs to support u2f and it does the challenge response.
I've never used a YubiKey - I assumed the private code inside the YubiKey was there and no where else.
-
@stacksofplates said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
@stacksofplates said in WebAuthn now a standard:
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.
So there's a way to export the private key out of the YubiKey? or the sites allows for multiple public keys?
Huh? You scan the QR code like you normally would but it stores it on the Yubikey instead. Then when you need the code you either tap it to your phone and it shows you all of the one time codes or you do it on your computer. Just like how Google authenticator works. For the u2f stuff, it works the same on Android as on your pc. The browser needs to support u2f and it does the challenge response.
But you can use the Yubikeys for a ton of auth types. You can do static passwords, TOTP, HOTP, GPG, u2f, local challenge reponse (like with PAM), and still more I believe.
-
@Dashrender said in WebAuthn now a standard:
@stacksofplates said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
@stacksofplates said in WebAuthn now a standard:
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.
So there's a way to export the private key out of the YubiKey? or the sites allows for multiple public keys?
Huh? You scan the QR code like you normally would but it stores it on the Yubikey instead. Then when you need the code you either tap it to your phone and it shows you all of the one time codes or you do it on your computer. Just like how Google authenticator works. For the u2f stuff, it works the same on Android as on your pc. The browser needs to support u2f and it does the challenge response.
I've never used a YubiKey - I assumed the private code inside the YubiKey was there and no where else.
It depends on the type of authentication.