Hacker News new | ask | show | jobs
by tialaramex 2179 days ago
In a browser what you want is WebAuthn, U2F is an older never technically standardized hack and should not be used for new implementations.

New web sites should do WebAuthn to enable this functionality, here's a guide someone else wrote that I found helpful in talking about the moving parts to actually implement this: https://webauthn.guide/

Firefox's WebAuthn implementation isn't as complete as it would ideally be, but it does have a nice feature of asking the user whether to give out the somewhat privacy-infringing "attestation" from a FIDO2 device when it is requested by a web site. IMNSHO ordinary web sites, especially where a second factor isn't even mandatory, should not be asking for attestation and I always refuse.
2 comments
lxgr 2178 days ago
Care to elaborate how attestation is privacy infringing?

As far as I understand, private attestation is a specific design goal of WebAuthN, achieved by either sharing an attestation credential with at least 100 000 instances of a given authenticator or via cryptographic means.

There have been instances of authenticator vendors getting this wrong, but I remember reading that browsers will detect it and strip any attestation response in this case.

link
tialaramex 2178 days ago
Not everybody is comfortable that 100 000 is enough.

Is that extreme? Yes, but the upside to giving out attestation data just isn't there in most scenarios. It's like I have to step over broken glass to get a stale bagel. Yes these boots mitigate the risk from the glass very well but I don't even want a stale bagel anyway.

There are some scenarios where attestation makes sense. If you issued every one of your employees a genuine Yubico Yubikey then I guess it could make sense to insist on checking with attestation that nobody is using some homebrew device they built instead. But for general use? Even the tiny risk isn't justified, so it should be "off".

Here's someone much smarter than me proposing something you could do if you really care about the features from attestation but don't want people to give up privacy. If you insist on offering stale baked goods, here is how to clear up that glass:

https://www.imperialviolet.org/2019/01/01/zkattestation.html

link
StavrosK 2179 days ago
Oh is that what the "anonymize this key" is? If the website requires attestation, authentication might fail, but no website should require attestation, maybe unless you explicitly got the key from them (like a bank).
link
lxgr 2178 days ago
Websites should absolutely be requiring attestation.

The attack scenario here is malware on your computer pretending to be a hardware authenticator (during sign-up or 2FA enrolment) but really just emulating one in software.

link
tialaramex 2178 days ago
In this scenario bad guys are currently authenticated as you (otherwise they can't do enrolment) and can do whatever they want but, perversely, they decide what they want to do is... obtain the ability to authenticate as you later in a traceable way. I don't buy it.

If you're a James Bond villain and the plot's resolution needs to be saved for the final reel then this makes sense, you can't blow up the world 40 minutes into the story 'cos the audience knows that isn't the end. But real crooks don't want to build suspense, they're going to jump to the part where they win. Why play this long game?

link