David Nelson<p>Occasionally Google prompts me to create a passkey immediately after I signed in with one. I cancel and move on. No big deal, but it seems quite obtuse. They know I have multiple registered and that I just used one of them. <a href="https://mastodon.social/tags/Fido2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fido2</span></a> <a href="https://mastodon.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkey</span></a> <a href="https://mastodon.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkey</span></a> <a href="https://mastodon.social/tags/Google" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Google</span></a> <a href="https://mastodon.social/tags/GoogleWorkspace" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleWorkspace</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
techhub.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A hub primarily for passionate technologists, but everyone is welcome
Administered by:
Server stats:
5.3Kactive users
techhub.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#fido2
1 post · 1 participant · 0 posts today
0xKaishakunin<p><span class="h-card" translate="no"><a href="https://chaos.social/@leah" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>leah</span></a></span> TBF die 5er Serie hatte insgesamt 6 Firmware Upgrade und unterstützt inzwischen auch SCP03, SCP11, YubiHSM Auth und der Speicher für Passkeys und OATH credentials ist gewachsen. </p><p>Die Security Keys sind günstiger, unterstützen aber nur <a href="https://mastodon.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> <a href="https://mastodon.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkey</span></a></p><p><a href="https://docs.yubico.com/hardware/yubikey/yk-tech-manual/yk5-overview.html#firmware-capability-matrices" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">docs.yubico.com/hardware/yubik</span><span class="invisible">ey/yk-tech-manual/yk5-overview.html#firmware-capability-matrices</span></a></p>
LemonLDAP::NG<p>🍋 LemonLDAP::NG 2.21 is out!</p><p>📃 This new release includes improvements on OpenID Connect and CAS protocols, Loki logger, public notifications and much more.</p><p>🔗 Read our release notes: <a href="https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-21-0-is-out/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">projects.ow2.org/view/lemonlda</span><span class="invisible">p-ng/lemonldap-ng-2-21-0-is-out/</span></a></p><p><span class="h-card" translate="no"><a href="https://fosstodon.org/@ow2" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>ow2</span></a></span> @worteks_com</p><p><a href="https://fosstodon.org/tags/IAM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IAM</span></a> <a href="https://fosstodon.org/tags/SSO" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SSO</span></a> <a href="https://fosstodon.org/tags/CAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CAS</span></a> <a href="https://fosstodon.org/tags/SAML" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SAML</span></a> <a href="https://fosstodon.org/tags/OpenIDConnect" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenIDConnect</span></a> <a href="https://fosstodon.org/tags/OW2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OW2</span></a> <a href="https://fosstodon.org/tags/lemonldap" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>lemonldap</span></a> <a href="https://fosstodon.org/tags/lemonldapng" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>lemonldapng</span></a> <a href="https://fosstodon.org/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a> <a href="https://fosstodon.org/tags/Passwordless" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passwordless</span></a> <a href="https://fosstodon.org/tags/WebAuthn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WebAuthn</span></a> <a href="https://fosstodon.org/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> <a href="https://fosstodon.org/tags/Loki" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Loki</span></a> <a href="https://fosstodon.org/tags/WebSSO" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WebSSO</span></a> <a href="https://fosstodon.org/tags/OpenSource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSource</span></a> <a href="https://fosstodon.org/tags/FreeSoftware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FreeSoftware</span></a> <a href="https://fosstodon.org/tags/LogicielLibre" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LogicielLibre</span></a> <a href="https://fosstodon.org/tags/Perl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Perl</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://chaos.social/@fleaz" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>fleaz</span></a></span> : it's not MultiMultiFactorAuthentication but 1FA max.</p><p>Assuming that you don't use those hardware keys to generate TOTP codes (which are pointless when confronted with the likes of <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Evilginx2</span></a>), but use WebAuthn instead (FIDO2 passkeys in hardware keys), everything depends on one factor: the domain name of the website.</p><p>1️⃣ DV-CERTS SUCK<br>It is not very common that certificates are issued to malicious parties, but it *does* happen now and then (<a href="https://infosec.exchange/@ErikvanStraten/112914050216821746" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914050216821746</span></a>).</p><p>2️⃣ SUBDOMAINS<br>Furthermore, sometimes organizations have "dangling" subdomain names. For example,</p><p> test.example.com</p><p>may point to the IP-adress of some cloud server no longer used by example.com. Anyone with write access to that server may install a fake "test.example.com" website and phish you to it. It *may* be used to phish your WebAuthm credentials *if* "example.com" does not explicitly *DENY* WebAuthn from "test.example.com".</p><p>See <a href="https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/w3ctag/design-revie</span><span class="invisible">ws/issues/97#issuecomment-175766580</span></a> for how Google prevents "sites.google.com" from authenticating to "google.com".</p><p>3️⃣ DNS HACKED<br>It may not be neccessary to execute BGP-hijacks to redirect network traffic to an impostor: it also all depends on how reliable DNS records are protected against unauthorized access. If the dude in charge for DNS uses a stupid password only, or the DNS provider is easily fooled into believing "I forgot my creds", it's game over. The crooks will obtain a DV-cert in no time, no questions asked, for free.</p><p>4️⃣ All the bells and whistless are moot if there's an alternative way to log in (such as by using a 1FA rescue code) and the user is fooled into providing it (after they've been lied to that their WebAithn public key on the server became corrupted or was lost otherwise).</p><p>5️⃣ Cloudflare MitM's https connections (it's not a secret: <a href="https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.cloudflare.com/password-r</span><span class="invisible">euse-rampant-half-user-logins-compromised/</span></a>). The same applies to any server you log in to, which is accessible by untrustworthy personnel. They can steal your session cookie.</p><p>6️⃣ In the end MFA/2FA is a hoax anyway, because the session cookie (or JWT or whatever) is 1FA anyway.</p><p>Did I mention the risks of account lockout with hardware keys that cannot be backupped? And the mess it is to keep at least one other hardware key synchronized if it's in a vault? And the limitation of, for example, 25 WebAuthn accounts max? And (unpatcheable) vulnerabilities found in hardware keys? And their price? And how easy it is to forget or loose them?</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@odr_k4tana" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>odr_k4tana</span></a></span> </p><p><a href="https://infosec.exchange/tags/1FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>1FA</span></a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/JWT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>JWT</span></a> <a href="https://infosec.exchange/tags/SessionCookie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SessionCookie</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> <a href="https://infosec.exchange/tags/WebAuthn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WebAuthn</span></a> <a href="https://infosec.exchange/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubikey</span></a> <a href="https://infosec.exchange/tags/Titan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Titan</span></a> <a href="https://infosec.exchange/tags/BGP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BGP</span></a> <a href="https://infosec.exchange/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a></p>
Luboš Račanský<p><a href="https://witter.cz/tags/webauthn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webauthn</span></a> <a href="https://witter.cz/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> <a href="https://witter.cz/tags/passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passkeys</span></a> extensions txAuthSimple and txAuthGeneric have not been implemented by browsers, because no token used them, so they were removed from the specification, because no one implemented them.<br>There is not much hope; the issue asking for change has been closed. <a href="https://github.com/w3c/webauthn/pull/2020" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/w3c/webauthn/pull/2</span><span class="invisible">020</span></a></p>
ksp1968<p><span class="h-card" translate="no"><a href="https://graz.social/@publicvoit" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>publicvoit</span></a></span> <span class="h-card" translate="no"><a href="https://social.tchncs.de/@keno3003" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>keno3003</span></a></span> <br>Ich habe 2 FIDO2 HW-Token und bin davon begeistert. Für den durchschnittlichen Anwender gut geeignet. Sehr einfach anzuwenden. Schade das nicht viel mehr Anbieter davon Gebrauch machen.<br>Zum Vergleich: Mit TOTP bin ich gescheitert. Das ist aufwändiger, und wenn man nicht richtig weiß wie es geht, kann man sich leicht ausschließen (Backup Schlüssel bei Einrichtung sofort sichern nicht vergessen.)<br><a href="https://norden.social/tags/fido2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>fido2</span></a> <a href="https://norden.social/tags/token" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>token</span></a> <a href="https://norden.social/tags/passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passkeys</span></a> <a href="https://norden.social/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a></p>
Karl Voit :emacs: :orgmode:<p><span class="h-card" translate="no"><a href="https://social.tchncs.de/@keno3003" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>keno3003</span></a></span> (2/2) Der einzige Schutz dagegen ist, wenn man physische <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a>-Tokens verwendet ("device-bound passkeys" nur in der "roaming-authenticator"-Variante!), die das Auslesen des Geheimnisses prinzipiell ausschließen. Dies ist also die einzige wirklich Phishing-resistente Authentifizierungsmethode.</p><p>IMO sollten also die Tipps am Ende vom Video *mit Fokus auf Sicherheit* anders lauten:</p><p>- am besten 2 <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> HW-Tokens besorgen und für alle <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a> verwenden (für <a href="https://graz.social/tags/IDAustria" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IDAustria</span></a> Österreich: <a href="https://www.oesterreich.gv.at/dam/jcr:972a25a0-65e6-4c2e-9422-a2e02ce16f2d/20230613_ID-Austria_FIDO.pdf" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">oesterreich.gv.at/dam/jcr:972a</span><span class="invisible">25a0-65e6-4c2e-9422-a2e02ce16f2d/20230613_ID-Austria_FIDO.pdf</span></a>)</p><p>- keine phishing-gefährdeten Fall-Back-Mechanismen verwenden: also nur den 2. FIDO2-Token</p><p>- jede 2FA ist besser als keine</p><p>- niemals Passwörter in die Cloud schicken (Cloud-PW-Manager)</p><p>HTH 🙇 </p><p><a href="https://graz.social/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://graz.social/tags/Sicherheit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Sicherheit</span></a> <a href="https://graz.social/tags/Authentifizierungsmethoden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentifizierungsmethoden</span></a></p>
Matt Cengia<p>I'd love if there was a website like <a href="https://www.passkeys.io/who-supports-passkeys" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">passkeys.io/who-supports-passk</span><span class="invisible">eys</span></a> which showed which websites also support *non-resident* <a href="https://aus.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> authentication as opposed to resident <a href="https://aus.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkey</span></a>. Let's reward sites that have that support!</p>
xyhhx 🔻 (plz hire me)<p>browsers should implement a standard webauthn element / input type so that js-free websites could use webauthn too...</p><p><a href="https://nso.group/tags/webauthn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webauthn</span></a> <a href="https://nso.group/tags/browsers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>browsers</span></a> <a href="https://nso.group/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://nso.group/tags/fido2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>fido2</span></a> <a href="https://nso.group/tags/ctap" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ctap</span></a></p>
Karl Voit :emacs: :orgmode:<p><span class="h-card" translate="no"><a href="https://mastodon.social/@yacc143" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>yacc143</span></a></span> FYI: <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a> and <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> (= "device-bound <a href="https://graz.social/tags/passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passkey</span></a>" which can be divided into "platform-" and "roaming-authenticators") are identical except the <a href="https://graz.social/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a>-sync mechanism (as of my current understanding).</p><p>So unfortunately, they get mixed up or are considered as totally different things. Both is wrong.</p><p>In reality, they are very similar except that FIDO2 hardware tokens ("device-bound passkeys" only in their "roaming-authenticator" variant) are designed that way, that Passkeys are not being able to extracted from the device (at least for the moment).</p><p>Therefore, users of HW tokens can't be tricked into transferring their passkey to a rogue third party, which is possible with all other Passkey variants. Therefore: passkeys are NOT <a href="https://graz.social/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a>-resistant in the general case.</p><p><a href="https://graz.social/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://graz.social/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a> <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>2FA</span></a></p>
Karl Voit :emacs: :orgmode:<p><a href="https://graz.social/tags/TroyHunt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TroyHunt</span></a> fell for a <a href="https://graz.social/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> attack on his mailinglist members: <a href="https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">troyhunt.com/a-sneaky-phish-ju</span><span class="invisible">st-grabbed-my-mailchimp-mailing-list/</span></a></p><p>Some of the ingredients: <a href="https://graz.social/tags/Outlook" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Outlook</span></a> and its habit of hiding important information from the user and missing <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>2FA</span></a> which is phishing-resistant.</p><p>Use <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> with hardware tokens if possible (<a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a> without FIDO2 HW tokens are NOT phishing-resistant due to the possibility of being able to trick users with credential transfers: <a href="https://arxiv.org/abs/2501.07380" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">arxiv.org/abs/2501.07380</span><span class="invisible"></span></a>) and avoid Outlook (or <a href="https://graz.social/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a>) whenever possible.</p><p>Further learning: it could happen to the best of us! Don't be ashamed, try to minimize risks and be open about your mistakes.</p><p>Note: any 2FA is better than no 2FA at all.</p><p><a href="https://graz.social/tags/email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>email</span></a> <a href="https://graz.social/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://graz.social/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://graz.social/tags/OTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTP</span></a> <a href="https://graz.social/tags/TOTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TOTP</span></a> <a href="https://graz.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkey</span></a> <a href="https://graz.social/tags/haveibeenpwned" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>haveibeenpwned</span></a> <a href="https://graz.social/tags/Ihavebeenpwned" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ihavebeenpwned</span></a></p>
Pixelcode 🇺🇦<p>I didn't buy that Token2 model because of its NFC capability and USB-C connector, but because it's the cheapest <a href="https://social.tchncs.de/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> token supporting Ed25519-SK. I did try out using it with my <a href="https://social.tchncs.de/tags/Fairphone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fairphone</span></a> 3 running /e/OS with <a href="https://social.tchncs.de/tags/MicroG" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MicroG</span></a>, and it worked fine.</p><p>The silicon case I ordered along with the <a href="https://social.tchncs.de/tags/Token2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Token2</span></a> key is unfortunately a bit too thick and thereby prevents the key's USB-C connector from being inserted properly into the FP3 if it's wearing its rubber case as well, which makes NFC a bit tricky too.</p>
Pixelcode 🇺🇦<p>Honestly, I don't really get the point of NFC-enabled FIDO2 tokens / hardware <a href="https://social.tchncs.de/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a>: Obviously, their NFC support is meant for phones, but to actually use the key, your phone's operating system must support <a href="https://social.tchncs.de/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> in the first place.</p><p>Instead of connecting your <a href="https://social.tchncs.de/tags/NFC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NFC</span></a> token, you could just as well use your phone's internal FIDO2 storage (usually biometrically secured). NFC is not even useful for ungoogled devices, as <a href="https://social.tchncs.de/tags/MicroG" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MicroG</span></a> also has internal FIDO2 support (which I use all the time).</p>
Pixelcode 🇺🇦<p>As I need an Ed25519-SK SSH key generated with a hardware token, I tried to use my Nitrokey <a href="https://social.tchncs.de/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> for that, but: no.</p><p>Years ago, <a href="https://social.tchncs.de/tags/ed25519" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ed25519</span></a> had experimentally been added to the firmware (not released) but later <a href="https://social.tchncs.de/tags/Nitrokey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Nitrokey</span></a> stated that customers should've donated on top of the selling price to get firmware updates & advised to buy the new product instead.</p><p>The latter would be OK if the old key wasn't sold anymore, but it is still sold & the firmware was last updated in 2021.</p><p><a href="https://github.com/Nitrokey/nitrokey-fido2-firmware/issues/39#issuecomment-1721164809" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/Nitrokey/nitrokey-f</span><span class="invisible">ido2-firmware/issues/39#issuecomment-1721164809</span></a></p>
Karl Voit :emacs: :orgmode:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@technotenshi" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>technotenshi</span></a></span> <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a> are not prone to <a href="https://graz.social/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> according to my understanding of:<br><a href="https://arxiv.org/abs/2501.07380" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">arxiv.org/abs/2501.07380</span><span class="invisible"></span></a></p><p>The paper describes that it's possible to fool Passkey owners to transfer their <a href="https://graz.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkey</span></a> to attackers: "Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker."</p><p>However, the authors disagree with my interpretation.</p><p>The only really secure method is hardware <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> tokens where the secrets can't leave the device.</p>
Karl Voit :emacs: :orgmode:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@0xF21D" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>0xF21D</span></a></span> Any more reason to switch to FIDO2 with hardware tokens or <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a>.</p><p>The latter only if you trust the service providers and if you don't need protection against phishing. With Passkeys and their optional delegation feature you can be tricked into transferring to a hacker. 😞</p><p>With a <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> hardware token, you're really safe.</p>
Christoffer S.<p>Google Cloud (ex. Mandiant): <a href="https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-browser-in-the-middle/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">cloud.google.com/blog/topics/t</span><span class="invisible">hreat-intelligence/session-stealing-browser-in-the-middle/</span></a></p><p>Mandiant details in this article Browser-in-the-Middle (BitM) attacks, a sophisticated session stealing technique that bypasses multi-factor authentication. Unlike traditional transparent proxies like Evilginx2 that require extensive customization, BitM offers attackers a streamlined approach to compromise web application sessions with minimal configuration. The article describes Mandiant's internal tool 'Delusion' for performing BitM attacks and demonstrates how attackers can steal authenticated sessions even when protected by MFA. The authors recommend implementing hardware-based MFA solutions like FIDO2 security keys and client certificates as effective countermeasures against these attacks.</p><p><a href="https://swecyb.com/tags/BrowserInTheMiddle" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BrowserInTheMiddle</span></a> <a href="https://swecyb.com/tags/BitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BitM</span></a> <a href="https://swecyb.com/tags/SocialEngineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SocialEngineering</span></a> <a href="https://swecyb.com/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> <a href="https://swecyb.com/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a></p>
0xKaishakunin<p>To anyone who is familiar with <a href="https://mastodon.social/tags/ios" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ios</span></a> <a href="https://mastodon.social/tags/iphone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iphone</span></a> multi device management <a href="https://mastodon.social/tags/mdm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>mdm</span></a> <br>Could one prepare a recent iPhone via MDM in a way that it can register a software <a href="https://mastodon.social/tags/passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passkey</span></a> either in the icloud keychain or preferrably in a <a href="https://mastodon.social/tags/keepass" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>keepass</span></a> DB via eg. KeePassium? </p><p>The iPhones, MDM and <a href="https://mastodon.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> RP would all be under our control.</p>
0xKaishakunin<p><a href="https://mastodon.social/tags/RfC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RfC</span></a> Ich habe für die Registrierung eines <a href="https://mastodon.social/tags/fido2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>fido2</span></a> <a href="https://mastodon.social/tags/passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passkey</span></a> ein PlantUML Sequenzdiagramm erstellt. Falls dazu jemand Verbesserungsvorschläge hat, immer her damit. <br>Die PUML kann ich bei Bedarf irgendwohin werfen.</p>
Karl Voit :emacs: :orgmode:<p><span class="h-card" translate="no"><a href="https://shkspr.mobi/blog/@blog" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>blog</span></a></span> Well,let's kill <a href="https://graz.social/tags/TOTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TOTP</span></a> and switch to <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> which protects against <a href="https://graz.social/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> and MITM.</p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload