Hacker News new | ask | show | jobs
by lima 3471 days ago
Those are considered deprecated by now. The most important issue with those devices is that they're not secure against phishing.

If you accidentally input your credentials and PIN code in a phishing site, it's game over.

With FIDO tokens, this is impossible - authentication is challenge-response based and tied to the encrypted channel. Your device contains a private key which is used to authenticate. This requires two-way communication, so you have to plug in the device.
1 comments
seanp2k2 3470 days ago
What makes it impossible for a phishing site to mimic the challenge?
link
lima 3470 days ago
The challenge-response protocol is using assymetric cryptography and is tied to the SSL session ID.

More explanations on why: https://security.stackexchange.com/questions/71316/how-secur...

And how: https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendmen...

link
nickik 3470 days ago
Thata the clever bit about FIDO. Part of what unlocks the private key for signing the challenge is somehing called AppId. AppId is automatically captured by your webbrowser (weborigin standard) and passed along. So the authenticator only unlooks if you are on the correct website.

A further feature is that you can make the ssl tunnel id part of this as well, that makes it even better.

This is how both UAF and U2F work.

link