Replied in thread
@LimeSurvey The new #2FA with #YubiKey doesn't work well in combination with @1password and the auto submit feature. Why didn't you implement #WebAuthn?
#webauthn
0 posts0 participants0 posts today
LemonLDAP::NG 2.21 is out!
Read our release notes: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-21-0-is-out/
Well this is quite the surprise! Passkeys in epic-stack, brought to you by SimpleWebAuthn 
https://github.com/epicweb-dev/epic-stack/discussions/937
I can consider this a feather in my cap, no?
GitHubPasskeys, Helmets, and more! 🔑 🪖 · epicweb-dev epic-stack · Discussion #937I'm excited to officially announce support for passkeys in the Epic Stack! We've got a few other goodies since the last release as well! Here's a summary: WebAuthn Passkey Authentication – Added su...
Putting the word out here that https://webauthn.io got a bit of an upgrade today:
- You can now specify hints during authentication, if you're so inclined
- There's a new
/profilepage for after authentication to help with page navigation via the browser
Poke around a bit and feel free to let me know if anything seems off 
WebAuthn.ioA demonstration of the WebAuthn specificationDemonstration of the WebAuthn specification.
Replied in thread
@sarahjamielewis I would like to hear answers to that question as well. I have not tried it myself, but I'm considering #Keycloak for something like that.
I would also suggest the hashtags #passkey #webauthn and #fido to gather the attention of the right people?
If you're ready to learn the technical details, then there is a Tour of WebAuthN here: https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn.html
www.imperialviolet.orgA Tour of WebAuthn
GitHub - yackermann/awesome-webauthn: 
A curated list of awesome WebAuthn and Passkey resources https://github.com/yackermann/awesome-webauthn #OpenSource #WebAuthn #resource #awesome #passkey #GitHub #list
GitHubGitHub - yackermann/awesome-webauthn: 🔐 A curated list of awesome WebAuthn and Passkey resources🔐 A curated list of awesome WebAuthn and Passkey resources - yackermann/awesome-webauthn
Passkey advice (ncsc.gov.uk)
From https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better (highly condensed by me):
❝
What then are the remaining problems with passkeys?
Inconsistent support and experiences Device loss scenarios Migration issues Account recovery processes Platform differences Implementation complexity Inconsistent use Uncertainty around multi-factor status
❞
I recently wrote about a number of Android an iOS/iPadOS vulnerabilities (including account lock-out risks) in https://infosec.exchange/@ErikvanStraten/113820358011090612 and a couple of follow-up toots.
People wanting to know the basics of passkeys can read a somewhat acceptable translation from Dutch to English of my writeup "Passkeys for laymen", which can be seen by opening https://www-security-nl.translate.goog/posting/798699/Passkeys+voor+leken?_x_tr_sl=nl&_x_tr_tl=en&_x_tr_hl=nl (which seems to work in Chrome). The original article, in Dutch, can be seen in https://www.security.nl/posting/798699/Passkeys+voor+leken.
A good source of (unbiased!) info is also Dan Goodin's article in https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/.
Finally: the problem with passwords starts with a 'p': it's PEOPLE. Use a password manager as I describe in https://infosec.exchange/@ErikvanStraten/113022180851761038 (with Android screenshot: https://infosec.exchange/@ErikvanStraten/113549056619471557).
www.ncsc.gov.ukPasskeys: they're not perfect but they're getting betterPasskeys are the future of authentication, offering enhanced security and convenience over passwords, but widespread adoption faces challenges that the NCSC is working to resolve.
SimpleWebAuthn v13.1.0 is out! Changes include addressing a DeprecationWarning in the console about a "punycode" module; and startRegistration() and startAuthentication() now warn about but try to handle calls made using the older API call structure seen in lots of existing tutorials (with a link to help explain how to refactor.)
https://github.com/MasterKale/SimpleWebAuthn/releases/tag/v13.1.0
GitHubRelease v13.1.0 · MasterKale/SimpleWebAuthnChanges:
[server] The cross-fetch dependency has been removed from the project to silence in the console DeprecationWarning's about a "punycode" module (#661)
[browser] startRegistration() and sta...
Why do some services use passkeys as a 2nd factor, and not the *only* factor?
Makes no sense.
@arstechnica on the usability problems with #passkey tech:
CW: DHH is quoted in this article but it's just about #passkeys.
Ars Technica · Passkey technology is elegant, but it’s most definitely not usable security
Replied in thread
@adamshostack : apart from marketing purposes, I fail to see the advantage of using public keys for WebAuthn (FIDO2 and passkeys).
IMO *the* advantage of WebAuthn is that software refuses to authenticate if the domain name is incorrect (AitM attacks are possible only if the attacking server possesses a certificate considered valid by the user's browser).
The fact that a (WebAuthn) public key is (hopefully) randomly chosen, and is a lot longer than most passwords are, has nothing to do with cryptography.
Of course, if an attacker is able to copy a (Webauthn) public key from a server, it is of no use to them. However, the same applies to a randomly chosen unique password (in the end, the attacker already had access to the user's account on the server).
OTOH, if an attacker obtains access to a server, they may silently *add* their own public key (something typically not possible in the case of a password). They may choose to *replace* the public key (or password), but that would lock out the user - which may not be what the attacker wants.
Even if it is typically extremely hard for an attacker (with remote access to a user device) to obtain a (WebAuthn) private key, grabbing a session cookie (or JWT etc.) is likely a lot easier. That is, until we have Device Bound Session Credentials (https://wicg.github.io/dbsc/).
But even then, if a user device is sufficiently compromised, the user may be fooled by what they see and how the attacker manipulates their input. Device compromise means game over.
Another aspect is that the better the WebAuthn private keys are protected, the harder it is to make backups of them, increasing the risk of account lockout and vendor lock-in.
wicg.github.ioDevice Bound Session Credentials
Heya TypeScript + WebAuthn fans, I just published v13 of SimpleWebAuthn! This one includes (opinionated) registration hints support, improved support for attestation trust anchors, and a surprise retirement of the types library (for baking-in the types instead into both the browser and server libraries.) Check out the release notes for more info!
https://github.com/MasterKale/SimpleWebAuthn/releases/tag/v13.0.0
GitHubRelease v13.0.0 - The one where they share a type · MasterKale/SimpleWebAuthnHot on the heels of the last major release, v13 introduces support for registration hints! Refined types and improved attestation trust anchor verification are also included. Last but not least, we...
Replied to stf
Hey, great callout @stf, thanks for the nudge! I'm happy to report that as of a couple of minutes ago you can now test out Ed25519 support on webauthn.io, check it out!
I ran through a couple of YubiKey registrations and confirmed I got back Ed25519 public keys. They validated just fine thanks to long-time support for the algorithm in py_webauthn 
so the internet agrees, that #ed25519 is the way to do signatures (see random 1st search hit https://www.scottbrady91.com/jose/jwts-which-signing-algorithm-should-i-use) and yet, neither webauthn.io nor #yubico demo-site, nor #github actually supports that algo.
Scott Brady · JWTs: Which Signing Algorithm Should I Use?Learn the difference between each JOSE algorithm (e.g. RS256, ES256, EdDSA) and how to choose the best one available to you.
Chrome 133* is the first #WebAuthn client to be all green!
https://featuredetect.passkeys.dev
(*with some flags enabled)
It took nearly three weeks of refactor and getting more comfortable with how Deno works, but I'm happy to announce that SimpleWebAuthn v12.0.0 is now also available to install from JSR 
https://jsr.io/@simplewebauthn
Check out the CHANGELOG for more info:
https://github.com/MasterKale/SimpleWebAuthn/releases/tag/v12.0.0
Sweet, Windows 11 Preview Build 22635.4515 is out on Beta Channel with the new Windows Hello passkey provider APIs!
Windows Insider Blog · Announcing Windows 11 Insider Preview Build 22635.4515 (Beta Channel)Hello Windows Insiders, today we are releasing Windows 11 Insider Preview Build 22635.4515 (KB5046756) to the Beta Channel.
Changes in Beta Channel builds and updates are documented in two buckets: new features, improvements, and fi
Hey, anyone wanna take this out for a spin and report back? It's just some types so nothing too fancy, but it's my first package published to JSR.io 
JSR@simplewebauthn/types - JSR@simplewebauthn/types on JSR: TypeScript types used by the @simplewebauthn series of libraries
Continued thread
I've written a new blog post (9000 words) taking a moderately deep dive into "Threat Modeling YubiKeys and Passkeys"
https://yawnbox.is/blog/threat-modeling-yubikeys-and-passkeys/
I greatly welcome feedback as I want to make sure I'm not misrepresenting anything. I want to make it better if it can be improved. I'm happy to be wrong, just please provide details and links!
also, i need a job! if you like my work, maybe you know of something where i'd be a good fit.
yawnbox.isThreat modeling YubiKeys and passkeys
PSA for #IdAustria users: After a local attack on YubiKey devices (CVSS 4.9), A-Trust has delisted them from enrollment with ID-Austria via #WebAuthn.
Apart from factually being an overreaction (they demand #FIDO Level 2 which scalable attacks, and that attack is neither), they have not reinstated those devices in the fixed revisions of the vendor; let's see if they'll see reason 
https://www.yubico.com/support/security-advisories/ysa-2024-03/
https://a-trust.at/de/%C3%BCber_uns/newsbereich/20240905_de_post.html
YubicoSecurity Advisory YSA-2024-03Security Advisory YSA-2024-03 Infineon ECDSA Private Key Recovery Published Date: 2024-09-03Tracking IDs: YSA-2024-03CVE: In ProcessCVSS Severity: 4.9 Summary A vulnerability was discovered in Infineon’s cryptographic library, which is utilized in YubiKey 5 Series, and Security Key Series with firmware prior to 5.7.0 and YubiHSM 2 with firmware prior to 2.4.0. The severity of the issue […]