Occasionally Google prompts me to create a passkey immediately after I signed in with one. I cancel and move on. No big deal, but it seems quite obtuse. They know I have multiple registered and that I just used one of them. #Fido2 #Passkey #Passkey #Google #GoogleWorkspace
#fido2
4 posts4 participants0 posts today
Push MFA = easy to phish.
Read why number matching doesn’t fix it, and how to implement real phishing-resistant MFA for your business.
https://blog.brianbaldock.net/mfa-beyond-push-notifications
#CyberSecurity #FIDO2 #EntraID
GNU/Linux.ch: CIW130 - Tausendsassa
Mailbox. org
Welche dieser Aktivitäten sind aus heutiger Sicht die relevantesten?
Was sind die Alleinstellungsmerkmale von #mailboxorg
Jemand aus der Community fragt, wie es aktuell um die Integration von #FIDO2 bzw. #U2F steht.
Aus welchem Grund entscheiden sich Kunden für #OpenTalk, wo es doch Jitsi, BigBlueButton oder #Nextcloud Talk gibt ?
Welche Motivation steckt hinter #OpenCloud als #OwnCloud Fork?
Wodurch unterscheidet sich OpenCloud von NextCloud?
Wie siehst Du die Bedeutung eurer Produkte für die europäische digitale Souveränität?
Gibt es weitere Pläne für freie Produkte?
Webseite der Episode: https://gnulinux.ch/ciw130-podcast
Mediendatei: https://gnulinux.ch/podcast/CIW130.mp3
GNU/Linux.chCaptain it's Wednesday - Folge 130 - TausendsassaFolge 130 des CIW Podcasts.
Peer Heinlein im Interview
Replied in thread
docs.yubico.comFirmware Overview — YubiKey Technical Manual documentation
LemonLDAP::NG 2.21 is out!
Read our release notes: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-21-0-is-out/
#webauthn #FIDO2 #passkeys extensions txAuthSimple and txAuthGeneric have not been implemented by browsers, because no token used them, so they were removed from the specification, because no one implemented them.
There is not much hope; the issue asking for change has been closed. https://github.com/w3c/webauthn/pull/2020
GitHubImproved version of extension for Transaction Confirmation by rlin1 · Pull Request #2020 · w3c/webauthn
Replied to Karl Voit 
@publicvoit @keno3003
Ich habe 2 FIDO2 HW-Token und bin davon begeistert. Für den durchschnittlichen Anwender gut geeignet. Sehr einfach anzuwenden. Schade das nicht viel mehr Anbieter davon Gebrauch machen.
Zum Vergleich: Mit TOTP bin ich gescheitert. Das ist aufwändiger, und wenn man nicht richtig weiß wie es geht, kann man sich leicht ausschließen (Backup Schlüssel bei Einrichtung sofort sichern nicht vergessen.)
#fido2 #token #passkeys #security
Continued thread
@keno3003 (2/2) Der einzige Schutz dagegen ist, wenn man physische #FIDO2-Tokens verwendet ("device-bound passkeys" nur in der "roaming-authenticator"-Variante!), die das Auslesen des Geheimnisses prinzipiell ausschließen. Dies ist also die einzige wirklich Phishing-resistente Authentifizierungsmethode.
IMO sollten also die Tipps am Ende vom Video *mit Fokus auf Sicherheit* anders lauten:
- am besten 2 #FIDO2 HW-Tokens besorgen und für alle #Passkeys verwenden (für #IDAustria Österreich: https://www.oesterreich.gv.at/dam/jcr:972a25a0-65e6-4c2e-9422-a2e02ce16f2d/20230613_ID-Austria_FIDO.pdf)
- keine phishing-gefährdeten Fall-Back-Mechanismen verwenden: also nur den 2. FIDO2-Token
- jede 2FA ist besser als keine
- niemals Passwörter in die Cloud schicken (Cloud-PW-Manager)
HTH 
I'd love if there was a website like https://www.passkeys.io/who-supports-passkeys which showed which websites also support *non-resident* #FIDO2 authentication as opposed to resident #Passkey. Let's reward sites that have that support!
www.passkeys.ioWebsites and Apps with Passkey SupportSee which websites and applications already support Passkeys as an authentication method or are currently working on integrations.
(plz hire me) browsers should implement a standard webauthn element / input type so that js-free websites could use webauthn too...
Replied in thread
@yacc143 FYI: #Passkeys and #FIDO2 (= "device-bound #passkey" which can be divided into "platform-" and "roaming-authenticators") are identical except the #cloud-sync mechanism (as of my current understanding).
So unfortunately, they get mixed up or are considered as totally different things. Both is wrong.
In reality, they are very similar except that FIDO2 hardware tokens ("device-bound passkeys" only in their "roaming-authenticator" variant) are designed that way, that Passkeys are not being able to extracted from the device (at least for the moment).
Therefore, users of HW tokens can't be tricked into transferring their passkey to a rogue third party, which is possible with all other Passkey variants. Therefore: passkeys are NOT #phishing-resistant in the general case.
#TroyHunt fell for a #phishing attack on his mailinglist members: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
Some of the ingredients: #Outlook and its habit of hiding important information from the user and missing #2FA which is phishing-resistant.
Use #FIDO2 with hardware tokens if possible (#Passkeys without FIDO2 HW tokens are NOT phishing-resistant due to the possibility of being able to trick users with credential transfers: https://arxiv.org/abs/2501.07380) and avoid Outlook (or #Microsoft) whenever possible.
Further learning: it could happen to the best of us! Don't be ashamed, try to minimize risks and be open about your mistakes.
Note: any 2FA is better than no 2FA at all.
Troy Hunt · A Sneaky Phish Just Grabbed my Mailchimp Mailing ListYou know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
Continued thread
I didn't buy that Token2 model because of its NFC capability and USB-C connector, but because it's the cheapest #FIDO2 token supporting Ed25519-SK. I did try out using it with my #Fairphone 3 running /e/OS with #MicroG, and it worked fine.
The silicon case I ordered along with the #Token2 key is unfortunately a bit too thick and thereby prevents the key's USB-C connector from being inserted properly into the FP3 if it's wearing its rubber case as well, which makes NFC a bit tricky too.
Honestly, I don't really get the point of NFC-enabled FIDO2 tokens / hardware #Passkeys: Obviously, their NFC support is meant for phones, but to actually use the key, your phone's operating system must support #FIDO2 in the first place.
Instead of connecting your #NFC token, you could just as well use your phone's internal FIDO2 storage (usually biometrically secured). NFC is not even useful for ungoogled devices, as #MicroG also has internal FIDO2 support (which I use all the time).
As I need an Ed25519-SK SSH key generated with a hardware token, I tried to use my Nitrokey #FIDO2 for that, but: no.
Years ago, #ed25519 had experimentally been added to the firmware (not released) but later #Nitrokey stated that customers should've donated on top of the selling price to get firmware updates & advised to buy the new product instead.
The latter would be OK if the old key wasn't sold anymore, but it is still sold & the firmware was last updated in 2021.
https://github.com/Nitrokey/nitrokey-fido2-firmware/issues/39#issuecomment-1721164809
GitHubSupport for ed25519-sk · Issue #39 · Nitrokey/nitrokey-fido2-firmware
PSA: If you use your #nitrokey for #ssh authentication with #fido2 and adding the key to your ssh-agent via ssh-add -K succeeds but login fails with sign_and_send_pubkey: signing failed: agent refused operation, make sure you have an askpass program installed (e.g. ssh-askpass-gnome).
I found the error message very confusing.
Replied in thread
@technotenshi #Passkeys are not prone to #phishing according to my understanding of:
https://arxiv.org/abs/2501.07380
The paper describes that it's possible to fool Passkey owners to transfer their #Passkey to attackers: "Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker."
However, the authors disagree with my interpretation.
The only really secure method is hardware #FIDO2 tokens where the secrets can't leave the device.
arXiv.orgDevice-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey AuthenticationWith passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.
Replied in thread
@0xF21D Any more reason to switch to FIDO2 with hardware tokens or #Passkeys.
The latter only if you trust the service providers and if you don't need protection against phishing. With Passkeys and their optional delegation feature you can be tricked into transferring to a hacker. 
With a #FIDO2 hardware token, you're really safe.
Google Cloud (ex. Mandiant): https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-browser-in-the-middle/
Mandiant details in this article Browser-in-the-Middle (BitM) attacks, a sophisticated session stealing technique that bypasses multi-factor authentication. Unlike traditional transparent proxies like Evilginx2 that require extensive customization, BitM offers attackers a streamlined approach to compromise web application sessions with minimal configuration. The article describes Mandiant's internal tool 'Delusion' for performing BitM attacks and demonstrates how attackers can steal authenticated sessions even when protected by MFA. The authors recommend implementing hardware-based MFA solutions like FIDO2 security keys and client certificates as effective countermeasures against these attacks.
Google Cloud BlogBitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique | Google Cloud BlogThe browser in the middle technique can enable compromises, especially if defenses and MFA aren't properly implemented.