Hacker News new | ask | show | jobs
by kxyvr 2889 days ago
Could someone explain the difference between FIDO and FIDO2 compliant keys? For example, is new hardware required or will existing FIDO/U2F keys work with FIDO2? It looks like Yubico is advertising a new FIDO2 key under the brand name "Security Key by Yubico". Personally, I've been meaning to pick up a U2F key, but if sites are going to start rolling out WebAuthn support, I'd rather have a key that supports both FIDO and FIDO2. Does anyone have a recommendation?
2 comments
agl 2889 days ago
Webauthn works with both FIDO1 and FIDO2 keys. (Unless you have the new, FIDO2 key from Yubico then you have a FIDO1 key). You might also see them called CTAP1 and CTAP2 keys because CTAP is the bit of FIDO that defines the interface to the hardware tokens. (CTAP: "Client to Authenticator Protocol". See https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-cl...)

FIDO2 keys talk a different protocol and do everything that FIDO1 keys do, and (potentially) more. For example, they may operate in "resident key" mode where the key remembers both your username and private key. They can also support things like PIN activation.

I've only briefly poked the Yubico FIDO2 key. I think it supports a limited form of resident keys and it advertises PIN support, although I didn't exercise that.

link
zxcvgm 2889 days ago
FIDO2 is an improvement over the U2F standard, mainly with the ability to now perform password-less logins [1][2]. This had to do with a shortcoming in the U2F protocol and/or devices such that they didn't need to have much storage on these devices [3]. To address this, the new FIDO2 devices are now required to persist your username(s) for a particular site. The new CTAP2 protocol has also been extended to accommodate more sophisticated authenticators, like those crypto-currency wallets with a display.

If you are looking for devices, check out reviews of various devices by agl [4] and Brad Hill [5].

[1] https://www.yubico.com/2018/04/yubico-and-microsoft-introduc...

[2] https://fidoalliance.org/fido2/

[3] https://www.yubico.com/2014/11/yubicos-u2f-key-wrapping/

[4] https://www.imperialviolet.org/2017/10/08/securitykeytest.ht...

[5] https://github.com/hillbrad/U2FReviews

link