|
|
|
|
|
|
by Niten
3444 days ago
|
|
|
Not entirely. The important difference is that instead of generating a secret on the token and passing it to the server, U2F has the token answer a challenge issued by the server and encrypted to the token's (per-domain) public key, stored by the server at token registration time. The corresponding private key is stored on the token indexed in part by the requesting domain, which is supplied by the browser during an auth request. It is because of browser participation that a MITM domain would not be able to ask the token to answer the challenge with the correct key handle. The actual implementation can differ from what's described above, see Yubico's description of their key wrapping scheme if you want more detail: https://www.yubico.com/2014/11/yubicos-u2f-key-wrapping/ |
|
|