Hacker News new | ask | show | jobs
by eeZah7Ux 1954 days ago
Reminder: FIDO2 is mostly useless if your browser or your OS is compromised.

Also if someone hijacks your account using bruteforced recovery codes and/or email.

Also if the servers are compromised or account data leaked.

In short, it protects from some forms of phishing.

(I'm not trying to criticize FIDO2, just pointing out what to expect from it)
2 comments
dhdhhdd 1954 days ago
Otoh if your browser/os is not compromised, it's safer than authentication code and SMS OTP.

And hopefully recovery codes have maximum retry count?

link
eeZah7Ux 1954 days ago
> Otoh if your browser/os is not compromised, it's safer than authentication code and SMS OTP.

...but less safe than an external token if someone steals your laptop with the FIDO2 key in the USB port.

Yet, this are really very minor improvements to the (sorry) state of web and desktop security.

link
eeZah7Ux 1954 days ago
A good bunch of downvotes for this? Congratulations HN crowd.
link