- From: Arshad Noor via GitHub <sysbot+gh@w3.org>
- Date: Sun, 10 Jan 2021 21:59:30 +0000
- To: public-webauthn@w3.org
There are a few safety guards on such a use-case, Dominic. If you have a Security Key that does not integrate biometrics or a PIN, and only checks for "User Presence" (UP), then: 1) The attacker would have to know which websites have registered this key - admittedly, this is a small hurdle because they will try it at the most common larges sites first to see if it works - but most sites that are concerned about security will still ask for a password if the Security Key only supports UP (which is common with the older U2F Security Keys); 2) The attacker has to know the username on the website to be able to generate the correct response from the FIDO Server - there is not only a challenge, but also a list of acceptable "key handles", public-keys and other metadata that will authenticate the response. While you might try to guess at what the username might be, it might work, it might not - but its still another hurdle. If you really want to be secure on a site you consider too risky to be compromised on, get yourself a "user verifying" (UV) Security Key - with a biometric reader or a PIN; this will add another factor of protection to your account if you lose the Security Key. Right now, I don't know of any site that accepts a Security Key without asking for your username AND password before presenting the FIDO challenge. The only financial site I know at that accepts a Security Key is Vanguard; it still requires authenticating with a username/password before you see the FIDO challenge. Their policy is that they only accept Yubikeys; I'm not happy with that and have complained. They claim they're updating their site to accept other Security Keys - but it either reflects little understanding of FIDO or they thought they were being very risk-averse by accepting just one brand of Security Keys. I wonder if they know about this paper yet - Yubikey and Feitian are also implicated in the story besides Google: https://arstechnica.com/information-technology/2021/01/hackers-can-clone-google-titan-2fa-keys-using-a-side-channel-in-nxp-chips/ Arshad Noor StrongKey On 1/10/21 7:29 AM, Dominic Tobias wrote: > I don't disagree with the current economics @mamartins > <https://github.com/mamartins> / @Oloompa > <https://github.com/Oloompa>. $10 is too expensive for APAC. For > now. But, all new technologies go through this curve. What some > industries should recognize is that it will be less expensive for > them to give away Security Keys to customers than to waste > time/money with all the other crap they buy/implement to do "risk > scoring" on the back-end to minimize breaches and fraud. > > This is an interesting point, maybe I'm naive here but I have a Yubikey > and it has nothing that authenticates me. All someone needs to do is > steal/find it and have access to my accounts. How is that more secure > than a password!? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/w3c/webauthn/issues/151#issuecomment-757494694>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABWSVTSJ3BY6GBTDA74RJ6LSZHBUBANCNFSM4CKV35SA>. > -- GitHub Notification of comment by arshadnoor Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-757551186 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 10 January 2021 21:59:41 UTC