WebAuthn now a standard
-
My advice on WebAuthn is: wait until the next version of the standard when they iron out all the things they could have avoided had they done an RFC rather than just announcing it like a bunch of jackasses.
Pun indended: FIDO(2) is dog shit
-
@Dashrender said in WebAuthn now a standard:
Portability is the major hassle here.
If it all boils down to using something like a YubiKey, great - but how do you use a YubiKey on your phone?
Well you wouldn't use be required to use only a Yubikey, you can have Google Authenticator attached to your account as well. Allowing you multiple ways to login to your account.
-
@tonyshowoff said in WebAuthn now a standard:
My advice on WebAuthn is: wait until the next version of the standard when they iron out all the things they could have avoided had they done an RFC rather than just announcing it like a bunch of jackasses.
Pun indended: FIDO(2) is dog shit
What don't you like about FIDO(2)?
-
@Dashrender said in WebAuthn now a standard:
@tonyshowoff said in WebAuthn now a standard:
My advice on WebAuthn is: wait until the next version of the standard when they iron out all the things they could have avoided had they done an RFC rather than just announcing it like a bunch of jackasses.
Pun indended: FIDO(2) is dog shit
What don't you like about FIDO(2)?
It extends from the lack of an RFC, because they require implementation of already broken/obsolete RSA models. Of course their answer to this issue is "don't use them", which is utterly retarded.
At the end of the day, the simplest is this: they're pushing it for mobile, if you lose your device or somehow don't have access to your private keys, you can't login, pure and simple.
-
-
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.
-
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
I finally watched the video - and while they didn't explain it, they did show it.
-
@stacksofplates said in WebAuthn now a standard:
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.
So there's a way to export the private key out of the YubiKey? or the sites allows for multiple public keys?
-
@Dashrender said in WebAuthn now a standard:
@stacksofplates said in WebAuthn now a standard:
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.
So there's a way to export the private key out of the YubiKey? or the sites allows for multiple public keys?
Huh? You scan the QR code like you normally would but it stores it on the Yubikey instead. Then when you need the code you either tap it to your phone and it shows you all of the one time codes or you do it on your computer. Just like how Google authenticator works. For the u2f stuff, it works the same on Android as on your pc. The browser needs to support u2f and it does the challenge response.
-
@stacksofplates said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
@stacksofplates said in WebAuthn now a standard:
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.
So there's a way to export the private key out of the YubiKey? or the sites allows for multiple public keys?
Huh? You scan the QR code like you normally would but it stores it on the Yubikey instead. Then when you need the code you either tap it to your phone and it shows you all of the one time codes or you do it on your computer. Just like how Google authenticator works. For the u2f stuff, it works the same on Android as on your pc. The browser needs to support u2f and it does the challenge response.
I've never used a YubiKey - I assumed the private code inside the YubiKey was there and no where else.
-
@stacksofplates said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
@stacksofplates said in WebAuthn now a standard:
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.
So there's a way to export the private key out of the YubiKey? or the sites allows for multiple public keys?
Huh? You scan the QR code like you normally would but it stores it on the Yubikey instead. Then when you need the code you either tap it to your phone and it shows you all of the one time codes or you do it on your computer. Just like how Google authenticator works. For the u2f stuff, it works the same on Android as on your pc. The browser needs to support u2f and it does the challenge response.
But you can use the Yubikeys for a ton of auth types. You can do static passwords, TOTP, HOTP, GPG, u2f, local challenge reponse (like with PAM), and still more I believe.
-
@Dashrender said in WebAuthn now a standard:
@stacksofplates said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
@stacksofplates said in WebAuthn now a standard:
@scottalanmiller said in WebAuthn now a standard:
@Dashrender said in WebAuthn now a standard:
but how do you use a YubiKey on your phone?
That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.
So there's a way to export the private key out of the YubiKey? or the sites allows for multiple public keys?
Huh? You scan the QR code like you normally would but it stores it on the Yubikey instead. Then when you need the code you either tap it to your phone and it shows you all of the one time codes or you do it on your computer. Just like how Google authenticator works. For the u2f stuff, it works the same on Android as on your pc. The browser needs to support u2f and it does the challenge response.
I've never used a YubiKey - I assumed the private code inside the YubiKey was there and no where else.
It depends on the type of authentication.
