Yubico and based on that claim trust it to do multi-factor authentication itself. In a corporate environment, or perhaps banking, you can insist (via a thing called "Attestation") that the authenticator provides proof it is a real authenticator made by, e.g. "" the authenticator needs to replay the ID it gave when enrolling, and sign a freshness proof "I'm still, uh, tialaramex apparently".
The authenticator now needs to remember every RP it has enrolled with, because the RP won't prompt it. This is more secure than most passwords today, but is only a single factor. The authenticator is behaving the same, but now the RP is only taking a username first, there may be no second factor. The authenticator checks if it recognises the ID and if so retrieves the private key and signs the message, voila. The RP says if this is tialaramex, you'll recognise this arbitrary ID you gave me when enrolling and sign this freshness proof. web sites) basically provide prompts, which they derive from looking up a username you entered. The authenticator has no memory of who it is, RPs (Relying Parties, e.g.
To be clear: Things you can do with FIDO2 include:
Even if you were to use a "raw" WebAuthn key stored on your computer (on TPM, Secure Enclave, or even filesystem) - if you protect it with a password, you essentially have pubkey authentication with a second factor of password.Īlmost anywhere? It's much more convenient than the "type in your username" step. Maybe they support passcode protection?Ĥ. IIRC some hardware crypto wallets can act as WebAuthn devices and display the website domain when asking you to touch it. So it's essentially a biometric-protected private key.ģ. YubiKey BIO supports biometric authentication (I presume with on-board fingerprint verification) to use the device's keys. You then essentially tie your authentication with your device passcode and/or biometric ID, similar to what a password manager would do, except there's no password to steal.Ģ. WebAuthn (current spec) is also implemented by Android, iOS macOS and Windows 10/11 (natively) that makes your device a possible "passwordless factor holder". Passwordless login doesn't necessarily mean a physical separate dumb key, it can have many implementations that make sense:ġ.
0 kommentar(er)
