#Authentifizierung mit #FIDO2 und #Passkeys https://karl-voit.at/FIDO2-vs-Passkeys/
Was das ist, warum man es nutzen soll und wie man sie im Vergleich zu anderen Methoden einschätzt.
karl-voit.atAuthentifizierung mit FIDO2 und Passkeys
#fido2
0 posts0 participants0 posts today
I thought that #FIDO2 / #Passkeys cross-device requires proximity and enforces it using "cloud assisted Bluetooth" (#cable). How is it even possible to MITM it?
https://news.risky.biz/risky-bulletin-new-phishing-technique-bypasses-fido-keys/
Reported by: @campuscodi
CC: @rmondello @timcappalli
Risky.Biz · Risky Bulletin: New phishing technique bypasses FIDO keysIn other news: Surveillance vendor deploys new SS7 exploit; South Korea's largest insurance provider gets ransomed; law enforcement agencies take down NoName057 servers.
The FIDO2 Level 2 certification should mean, that you can use your Nitrokey 3 with ID Austria.
www.nitrokey.comNLnet Foundation Supports Nitrokey 3 Storage and FIDO2 Level 2 Certification
Replied in thread
@bsi Nitpicking: gerade bei #Passkeys besteht die Möglichkeit, über die Cloud auch anderen Personen Zugriff zu geben. Daher muss man mit Passkeys genau aufpassen, wem man hier Rechte eingeräumt hat.
Daher sind Passkeys auch in solchen Fällen leider anfällig auf #Phishing (Angreifer gibt vor, Freund zu sein).
Aber immer noch besser als fast alle anderen Authentifizierungsmethoden. 
Nur HW-Tokens mit #FIDO2 sind besser, da sie die privaten Keys nicht auslesbar speichern.
Hey @merill, as I was chatting last week with @awakecoding at #PSConfEU he suggested to ask you about MacOS and RDP...
Is is possible to RDP from MacOS over to an #Entra Joined Windows11 machine using #FIDO2 credentials?
On #Windows I need this Use a web account to sign in check box and all kinds of other things like DNS record pointing to the host name.
Is this even remotely possible from #MacOS over local network?
Thanks!
With USB/IP, I can now use my YubiKey remotely via SSH in the same way as I was sitting in front of my machine. Both in early boot stage (initrd); unlocking LUKS encrypted filesystem, and in booted system stage; signing git commits and authenticate to GitHub. Great! But what about using FIDO2/WebAuthn via RDP to log in to web services? USB redirection is not supported for xrdp. Is there any workarounds coming up to for example redirect WebAuthn from one machine to another?
Replied in thread
@bsi Sorry, starke Passwörter mit 2FA oder #Passkeys helfen leider nicht prinzipiell gegen Phishing.
Gerade bei der Methode mittels Smartphones kann man seine Passkey-Geheimnisse in die Cloud als auch zu anderen Personen transferieren. Das ist der Knackpunkt. In Zukunft zielt #Phishing dann halt auf die Übermittlung der Geheimnisse zum Angreifer ab.
https://arxiv.org/abs/2501.07380 "Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker." -> Schutz nur bei ausschließlich "device-bound passkeys" in der "roaming-authenticator"-Variante = Hardware #FIDO2 Tokens. Die sind aktuell det einzige Schutz gegen Phishing.
Aber alles ist besser als kein #2FA.
arXiv.orgDevice-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey AuthenticationWith passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.
#Passkeys are for people who only use one device to access the Internet, or multiple devices that are all made by AAPL/GOOG.
If you use Firefox on Ubuntu, Edge on Windows, Safari on Mac OS, and Chrome on ChromeOS you will have a bad time.
Explain #passkeys to me like I'm your grandparents.
I have wanted to use my Yubikeys for a secure SSH login for some time now. But like @jgoerzen, I have come across many incorrect, poorly explained and inadequately explained instructions. It looks like John has now written the ultimate guide for #SSH with #FIDO2/U2F hardware keys that beats all other guides I know of.
https://www.complete.org/easily-using-ssh-with-fido2-u2f-hardware-security-keys/
www.complete.org · Easily Using SSH with FIDO2/U2F Hardware Security KeysA lot of new hardware security keys (Yubikey, Nitrokey, Titan, etc.) now support FIDO2 (aka U2F aka Webauthn aka Passkey; yes it’s a mess).
So does OpenSSH.
This spells good news for us, because it is far easier to use than previous hardware security types (eg, PKCS#11 and OpenPGP) with ssh.
A key benefit of all this, if done correctly, is that it is actually impossible to access the raw SSH private key, and impossible to use it without the presence of the SK and a human touching it.
Very happy to finally be able to use my yubikeys on my phone (GrapheneOS, without Play services) 
Most of the pieces were already there, it only missed to be assembled into a Credential Provider, which is finally done with HW Fido2 Provider
Codeberg.orghw-fido2-providerhw-fido2-provider
Replied in thread
docs.yubico.comFirmware Overview — YubiKey Technical Manual documentation
LemonLDAP::NG 2.21 is out!
This new release includes improvements on OpenID Connect and CAS protocols, Loki logger, public notifications and much more.
Read our release notes: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-21-0-is-out/
Continued thread
@keno3003 (2/2) Der einzige Schutz dagegen ist, wenn man physische #FIDO2-Tokens verwendet ("device-bound passkeys" nur in der "roaming-authenticator"-Variante!), die das Auslesen des Geheimnisses prinzipiell ausschließen. Dies ist also die einzige wirklich Phishing-resistente Authentifizierungsmethode.
IMO sollten also die Tipps am Ende vom Video *mit Fokus auf Sicherheit* anders lauten:
- am besten 2 #FIDO2 HW-Tokens besorgen und für alle #Passkeys verwenden (für #IDAustria Österreich: https://www.oesterreich.gv.at/dam/jcr:972a25a0-65e6-4c2e-9422-a2e02ce16f2d/20230613_ID-Austria_FIDO.pdf)
- keine phishing-gefährdeten Fall-Back-Mechanismen verwenden: also nur den 2. FIDO2-Token
- jede 2FA ist besser als keine
- niemals Passwörter in die Cloud schicken (Cloud-PW-Manager)
HTH 
I'd love if there was a website like https://www.passkeys.io/who-supports-passkeys which showed which websites also support *non-resident* #FIDO2 authentication as opposed to resident #Passkey. Let's reward sites that have that support!
www.passkeys.ioWebsites and Apps with Passkey SupportSee which websites and applications already support Passkeys as an authentication method or are currently working on integrations.
(plz hire me) browsers should implement a standard webauthn element / input type so that js-free websites could use webauthn too...
Replied in thread
@yacc143 FYI: #Passkeys and #FIDO2 (= "device-bound #passkey" which can be divided into "platform-" and "roaming-authenticators") are identical except the #cloud-sync mechanism (as of my current understanding).
So unfortunately, they get mixed up or are considered as totally different things. Both is wrong.
In reality, they are very similar except that FIDO2 hardware tokens ("device-bound passkeys" only in their "roaming-authenticator" variant) are designed that way, that Passkeys are not being able to extracted from the device (at least for the moment).
Therefore, users of HW tokens can't be tricked into transferring their passkey to a rogue third party, which is possible with all other Passkey variants. Therefore: passkeys are NOT #phishing-resistant in the general case.
#TroyHunt fell for a #phishing attack on his mailinglist members: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
Some of the ingredients: #Outlook and its habit of hiding important information from the user and missing #2FA which is phishing-resistant.
Use #FIDO2 with hardware tokens if possible (#Passkeys without FIDO2 HW tokens are NOT phishing-resistant due to the possibility of being able to trick users with credential transfers: https://arxiv.org/abs/2501.07380) and avoid Outlook (or #Microsoft) whenever possible.
Further learning: it could happen to the best of us! Don't be ashamed, try to minimize risks and be open about your mistakes.
Note: any 2FA is better than no 2FA at all.
Troy Hunt · A Sneaky Phish Just Grabbed my Mailchimp Mailing ListYou know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
@technotenshi #Passkeys are not prone to #phishing according to my understanding of:
https://arxiv.org/abs/2501.07380
The paper describes that it's possible to fool Passkey owners to transfer their #Passkey to attackers: "Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker."
However, the authors disagree with my interpretation.
The only really secure method is hardware #FIDO2 tokens where the secrets can't leave the device.
arXiv.orgDevice-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey AuthenticationWith passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.