|
|
|
|
|
|
by oldbbsnickname
973 days ago
|
|
|
HOTP (one-time) and TOTP are typically used in conjunction with one another. HOTP provide backup codes should client or server time be out of sync. https://www.rfc-editor.org/rfc/rfc4226 FIDO2 with a hardware key source provides a much stronger and more secure guarantee than a 6 digit hash and an unencrypted symmetric secret stored in an app. https://fidoalliance.org/fido2/ Any and all 2FA approaches demand backup codes (and backup code management with confidentiality and durability) to protect against 2FA loss or inability of the 2FA to function. For example, there are some apps that insist on performing FIDO2 on a non-NFC platform. While I can use a Lightning to USB-C adapter to workaround this limitation, it's possible that I might not have it and would need some other 2FA "sufficient" mechanism. By the way, there is "HSM"-like passkey functionality embedded in most modern Apple and Samsung devices that doesn't require a USB token. This has the downside of not being a dedicated hardware token, so it cannot be physically isolated offline and requires an additional piece of software to act as a FIDO2 authenticator. |
|
|
If you took WebAuthn and, instead of the private key, used one password, it’d be nearly as strong. Assuming that one password is sufficiently strong, and the password input could not be intercepted, and no one ever looked over your shoulder, or used a camera, and you never wrote it down somewhere others can find it, and you never typed it where someone had installed a key logger…
Actually, let’s bring on the passkeys.