|
|
|
|
|
|
by clepto
1046 days ago
|
|
|
One problem I have with switching exclusively to Yubikeys(or similar) entirely with no other 2FA option, is the lack of support in embedded browsers. I’m not entirely sure what the support for this is like on Windows or some Linux systems, but for example on MacOS, if an application authenticates with SSO or something in an embedded browser window(one example would be like Cisco AnyConnect, but there are plenty of others. zScaler did recently update their MacOS client to authenticate inside a real full browser though so that’s nice), most every application I’ve come across uses the stripped down version of WebKit in these that doesn’t support FIDO2 or security keys at all, so I’m forced to use some other option like an authenticator app. This is perhaps less of a problem depending on what types of auth your IDP supports, but for example with Microsoft it’s either Phone Call or SMS, their Authenticator app, or FIDO2. |
|
|
I’ve been rocking FIDO2 with a Yubikey on macOS and iOS and it’s been solid. Support is there in web views. You can even use Yubikey-based PIV certificates now.
Not all of Microsoft’s apps have migrated to support this at the same pace. And anything still using ADAL over MSAL on iOS is going to probably ask for a different authentication path. Some of the older PowerShell modules don’t support FIDO2 or certificate authentication at all, but those are being rapidly deprecated.