|
|
|
|
|
|
by tialaramex
2133 days ago
|
|
|
In this context it's probably better to think about them as FIDO/ CTAP tokens rather than as U2F (which is obsoleted by WebAuthn and focused on the Web) or, as the author does, just narrow it explicitly to Yubikeys and not the wider menagerie of similar products. Yubico's own Security Key implements FIDO2 (and so could also be used for U2F) but won't work for the author's approach. Anyway, the main thing I wanted to mention is that the use of public key encryption means this is quite different from the device having "my password". Even in the on-device ("resident credential") scenarios the authenticator doesn't have a password which is a shared secret, it actually has a private key which it won't divulge - much better. Implementation errors by a web site can leak your password, which because it's a shared secret can then be used by adversaries to log in. It's impossible to be sure a site didn't get this wrong, even if you're confident they are competent and well meaning. In contrast the WebAuthn (and U2F) design doesn't give sites enough information to impersonate you even if they wanted to, only to authenticate you. This is a familiar pattern from public key cryptography, receiving the certificate for news.ycombinator.com allows me to verify this is news.ycombinator.com but not impersonate them. Likewise, when you enroll a FIDO authenticator to use Facebook, Facebook doesn't learn how to impersonate you, even on Facebook, only a way to verify that you still have that authenticator. [And the design is even more careful, it uses completely independent credentials for each site, so when Microsoft bought GitHub they actually could not merge the FIDO-based authentication between GitHub and Microsoft properties, even if they thought that was a good idea it's deliberately impossible. ] |
|
|