Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151)

There are a few safety guards on such a use-case, Dominic. If you have a 
Security Key that does not integrate biometrics or a PIN, and only 
checks for "User Presence" (UP), then:

1) The attacker would have to know which websites have registered this 
key - admittedly, this is a small hurdle because they will try it at the 
most common larges sites first to see if it works - but most sites that 
are concerned about security will still ask for a password if the 
Security Key only supports UP (which is common with the older U2F 
Security Keys);

2) The attacker has to know the username on the website to be able to 
generate the correct response from the FIDO Server - there is not only a 
challenge, but also a list of acceptable "key handles", public-keys and 
other metadata that will authenticate the response. While you might try 
to guess at what the username might be, it might work, it might not - 
but its still another hurdle.

If you really want to be secure on a site you consider too risky to be 
compromised on, get yourself a "user verifying" (UV) Security Key - with 
a biometric reader or a PIN; this will add another factor of protection 
to your account if you lose the Security Key.

Right now, I don't know of any site that accepts a Security Key without 
asking for your username AND password before presenting the FIDO 
challenge. The only financial site I know at that accepts a Security Key 
is Vanguard; it still requires authenticating with a username/password 
before you see the FIDO challenge. Their policy is that they only accept 
Yubikeys; I'm not happy with that and have complained. They claim 
they're updating their site to accept other Security Keys - but it 
either reflects little understanding of FIDO or they thought they were 
being very risk-averse by accepting just one brand of Security Keys. I 
wonder if they know about this paper yet - Yubikey and Feitian are also 
implicated in the story besides Google:

Arshad Noor

On 1/10/21 7:29 AM, Dominic Tobias wrote:
>     I don't disagree with the current economics @mamartins
>     <> / @Oloompa
>     <>. $10 is too expensive for APAC. For
>     now. But, all new technologies go through this curve. What some
>     industries should recognize is that it will be less expensive for
>     them to give away Security Keys to customers than to waste
>     time/money with all the other crap they buy/implement to do "risk
>     scoring" on the back-end to minimize breaches and fraud.
> This is an interesting point, maybe I'm naive here but I have a Yubikey 
> and it has nothing that authenticates me. All someone needs to do is 
> steal/find it and have access to my accounts. How is that more secure 
> than a password!?
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub 
> <>, or 
> unsubscribe 
> <>.

GitHub Notification of comment by arshadnoor
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Sunday, 10 January 2021 21:59:41 UTC