The Yubikeys also support NFC, which is necessary for U2F authentication on Lightning iPhones.
Sorry I was not clear. Cards have NFC in any case. What is missing in cards is USB
Readit Newsdrhuseynov commented on YubiKey still selling old stock with vulnerable firmware · Posted by u/MaKey
drhuseynov commented on YubiKey still selling old stock with vulnerable firmware · Posted by u/MaKey
Interesting, but "card" sounds like a different form factor, and Yubikeys do a fair but more than just FIDO2!
JavaCardOS can run in a USB-form factor as well. But that will not be 5USD. https://usasmartcard.com/usb-token/?page=1
In addition to FIDO2, you can add java applet for OpenPGP (also open source), TOTP (https://github.com/JavaCardOS/Oath-Applet) and PIV/smartcard (open source as well). I tell you more - there are tons of JavaCardOS compatible applets available on github etc.
drhuseynov commented on YubiKey still selling old stock with vulnerable firmware · Posted by u/MaKey
Are there < 1$ Arduino clones? How compatible are they with yubikeys? Are there any from trusted manufacturers? Any pointers?
Not $1, but you can get a JavaCardOS card and upload a FIDO applet yourself
https://github.com/token2/pin_plus_firmwarehttps://github.com/BryanJacobs/FIDO2Applet
Probably will cost 5USD
I feel like the security benefit of using FIDO2 isn't really there, since I don't remember when I've actually set up WebAuthn as my two-factor without being prompted to have another mechanism like OTP or SMS as a backup solution. Not that many sites even support it in the first place though.
There are systems supporting WebAuthn as the primary method, such as Gmail or M365. The systems requiring OTP or SMS as a backup are just examples of bad security design. Still, even if you have OTP as a backup, and FIDO2 as primary - it reduced phishing attack surface to a certain extent
How do these hardware devices pair. They probably can't read the QR code provided? They also seem to have just one button, so I need one device per account?
EDIT: I see the last link has a multi account device and some devices have USB. How does it work, when it says "factory programmed"? I've never seen that I can sync an app to an existing token.
Factory-programmed ones are for systems supporting secret key import, i.e. Microsoft Entra ID . It is not for replacing your Authenticator apps (although based on the same algorithm, TOTP).
drhuseynov commented on The forgotten war on beepers newsletter.pessimistsarch... · Posted by u/unsuspecting
Yeah RSA made these for a looong time.
But if you don't have a phone to program it you'd need a camera or some way to manually enter the data.
FIDO2 Security keys should be considered good "hardware tokens" now , more phishing-resistant than TOTP
drhuseynov commented on Passkeys – Under the Hood research.kudelskisecurity... · Posted by u/paulgerhardt
Interesting one, thanks!!
I'm kinda hoping Yubi come out with a version 6 with many more "passkey" CTAP2 slots too. Because I don't only use FIDO functionality but I heavily use the OpenPGP slots as well. Not for email but for other things (file encryption, password manager, SSH). Not planning to change any of that to fido any time soon either.
Small clarification: SSH functionality is a part of FIDO stack (if you meant ecdsa-sk & ed25519-sk )
drhuseynov commented on Passkeys – Under the Hood research.kudelskisecurity... · Posted by u/paulgerhardt
One issue is the limited support for resident keys on many hardware tokens. IIRC the limit on recent YubiKey 5 firmware versions is 25 resident keys. As Passkey adoption accelerates, people will hit that limit rather quickly.
Also the UI around managing resident keys is not great and uncoupled from where they are typically used (the browser).
Finally, only a tiny part of the population uses dedicated hardware tokens, whereas pretty much all popular password managers supports or will support Passkeys (Apple Keychain, 1Password, whatever the Chrome password manager is called, Samsung Pass, etc.).
So, it’s not surprising that hardware tokens are tested less these days.
(I don’t think that is a good, just trying to speculate on the reasons.)
There are fido2.1 keys with 300 resident key storage :
drhuseynov commented on End of Life for Twilio Authy Desktop App help.twilio.com/articles/... · Posted by u/tempestn
I had some good luck with https://github.com/token2/authy-migration
In case anyone is looking for a desktop app to replace Authy, the authy-migration tool from token2 supports exporting TOTP seeds in WinAuth compatible format (use .wa.txt for export file name). Then in WinAuth (https://winauth.github.io/winauth/index.html) , just import that file.
They do? I don't see how, since non-discoverable WebAuthN credentials make phishing just as impossible.
The only thing discoverable credentials allow on top of non-discoverable ones is avoiding having the user type in their username or email address.