I see a lot of confusion in this thread (warranted, because it's a confusing subject), and I want to clarify a few things:
U2F is the old standard, it is only meant be used as a second factor.
WebAuthn is the new standard, it has different modes for usage as a second factor, first factor and single factor (usernameless). Only the usernameless mode requires state on the client side.
Usernameless strikes me as the holy grail of authentication, where we don't need to remember any usernames or passwords (or even have them), but I haven't seen any websites that support usernameless authentication, other than demo ones and my own.
If you want to see what a usernameless flow looks like, you can visit https://www.deadmansswitch.net/. You have to log in with an email link first, and then associate your FIDO2 credential with it. You don't need a hardware key, for example on phones you can use your fingerprint reader and it will work fine.
The problem with hardware keys, and which is not mentioned anywhere, is that because usernameless requires storage on the key, Yubikeys only support a maximum of 25 sites you can authenticate with.
In order to further my goal of some day ditching password managers, I also made a Django library for usernameless logins which you can use today on your Django sites:
This seems like a cool idea, but the Yubikey NEO that I use to log into github doesn't seem to be accepted by the page. I doubt I've hit the 25 website limit.
I am probably wrong, but I think Fido2 keys should be ubiquitous. They provide a hardened solution for some security situations, certainly they could be a good 2nd factor or 3rd, and hopefully they could reduce the password madness we have. Yubico appears focused on the enterprise and high end users resulting in higher prices. Solokeys seems more focused on individual users with lower prices.
Disclaimer I have two Yubico keys, and two Solokeys and they all work for me, but I don't need the extra functionality of the more expensive Yubico keys.
They offer more security so what you say is true,but there is always a cost-benefit calculation to be had. They solve the human user authentication problem really well,but they do have a cost of ownership significantly higher than just passwords or even software authenticators.
You have to keep in mind that attackers want passwords to get access to some resource,not to just collect your password. Evem with a yubikey, an attacker can still get access to session/auth cookies post authentication to get access to a desired resource.
If the cost makes sense to you, they are the best way to do it,but if not there is no shame in other sane factors of authentication like TOTP or software attested webauthn.
I would restate what you said and say FIDO2 and/or WebAuthn need to be ubiqutous. It should be easy for some random guy working on ASP.NET site or something to support them.
right now even if you have it ,you can login to a handful of sites and that's it. For companies,they need to do SSO for everything with a yubi if they go that route.
You're talking about purchasing cost, there is additional cost as well. Who supports it,how much more does it cost to support. How easily can you issue new yubikeys,what is the cost of that delay? Do you still keep passwords or hope people keep their yubi's in a secure place?
Business cost example: some important guy is making a business deal but he lost/forgot his credential and can't login to show a presentation. If that credential is a password or TOTP key, he calls helpdesk and gets it sorted out. But if it is a FIDO key and they are on the other side of the planet (or a city close by where you have no support staff) that can humiliate not just the person but your whole company. Are hackers a bigger risk than a guy losing his yubikey? Depends on who you are and what you do. There are even more subtle costs like people forgeting their yubi at work/home and losing man hours for when they have to retrieve it. Malicious insiders swiping a fido key to do harm because of how much trust a session authenticated with a fido key has,etc...
Having a few vaults with security guards is a great deterrence as the reward is little for the high risk. Having many vaults with security guards draws a bit more attention...
I’m having trouble understanding what you’re saying.
You’d think we’d be better off even with the higher attention, were it to exist, because the level of attention going into making FIDO2 as secure as possible would scale with its userbase. Same with any other security solution being implemented.
I have two OnlyKeys I backup against the other to handle the lack of ubiquity of FIDO2. So many places are still only using SMS, but as an alternative, have built proprietary, in-app authentication systems that can't be audited. I had a phone break, and I wanted to purchase a new phone online to have it ship when I returned; and I couldn't access my remote work paycheck transfer (in-app), I couldn't log into my bank (SMS + in a different country so not the same SIM), and I couldn't log into the more popular online shopping (SMS).
Auth needs to be able to be decoupled from phones. With the OnlyKey, I've stored the important TOTP keys as well like my email as well as password for my password manager. Being as 'dumb' as they are, I've had it go through the wash still working fine.
> Dynamic linking is possible through the generation of authentication codes which is subject to a set of strict security requirements. To remain technologically neutral a specific technology for the implementation of authentication codes should not be required. Therefore authentication codes should be based on solutions such as generating and validating one-time passwords, digital signatures or other cryptographically underpinned validity assertions using keys or cryptographic material stored in the authentication elements, as long as the security requirements are fulfilled.
My bank (Swedbank Latvia) used this regulation as a pretext for removing authentication via passwords + code cards. They didn't do too well on the "technologically neutral" part though – you now have to use proprietary software or hardware to authenticate :-/
To date, the core of our firmware is also used by NitroKey [1], Signet HC [2] and OnlyKey [3]. We did a pretty significant refactor [4] to make the lib even easier to use as part of our MOSS award [5].
Hopefully we'll see even more products -and thus user adoption- of fido2/webauthn.
If anyone is reading, has a hardware project and would like to add fido2 functionality, please reach out!
I got a Solokey as part of the Kickstarter and love em. USB-C + NFC in one device.
The one thing I'd love out of a security key is the ability to set up a "Twinned Pair". So I can have one key on my keychain that I use everyday and one I keep in my safe in case something happens to the primary. Yes, I know some services support multiple security keys - but setting up two is more work and not all services do support two.
I definitely would like the requirement to allow multiple keys to be a part of the standard. Allowing it at the key level seems dangerous to me, perhaps, in allowing an attacker to perhaps "clone" someone's key that hasn't setup a pair yet, though of course I'm sure there's mitigations for that if it was seriously proposed!
I have two Yubikeys, one in a safe and one on my person. It saved my butt when I lost access to the one on my person for a few days!
You need to have a completely separate fallback. Typically the service will at minimum give you some one-time codes as an alternative for such cases. many services allow you to register multiple keys or TOTP apps.
SoloKeys appear to use open source firmware, whereas Yubico's firmware is closed source since the Yubikey 4 I believe. Other than that, they seem about the same. SoloKeys is a lot younger and missing a couple of Yubikey Neo's bigger features (like PGP support).
I don't believe it's just open firmware, but I think it's also an open hardware project.
While perhaps not as slick as yubikey, I do have several solo keys and they're great. Only real complaint is I wasn't able to get the NFC working, which I believe is a common issue, and I think they were working on an updated design that should work more widely with a range of devices.
Note that for a PGP key, the idea of using cheap microcontrollers is significantly worse.
U2F/FIDO2, sure, whatever- the worst failure state there is "your account is only secured by a password", and more likely attacks require physical access. I could post the secrets off the security key I use for my Google account right now and...eh, I'd probably be fine.
PGP? Ohohohoh. Now we're talking about long-term keys and non-forward-secure crypto.
If I leak your keys once- say, through power analysis, glitching, whatever- I can decrypt everything that has ever been encrypted for that key, and everything that ever will be. Compromise is total. Grab the device while it's unlocked, or use a camera, keylogger, or shoulder-surf to get your PIN- or just crack it, decrypting the encrypted keyblobs from flash ... the only thing protecting you is a barely-above-popcorn Cortex-M.
At that point, just use the fTPM in your CPU. Otherwise... hardened hardware is much more important for PGP.
If I had to design a PGP key storage mechanism, I'd probably use a reasonably well-known, well-tested "secure microprocessor"- or a 'TPM-on-a-chip' connected to an untrusted microcontroller (which would be basically just an adapter/protocol translato...hm, no, plaintext would still go across its bus, right? Forget the gpgcard spec right now, might do some link encryption, but that would be good and it's GPG so it probably doesn't. Yeah, no, I think you need the full stack on one die- or else open to attacks like replacing the untrusted microcontroller with one that logs all plaintexts it sees (and...is gpgcard challenge-response? Gotta be ...but if not, can log the pin too...anyways, ignore this aside))
Anyways, a secure microcontroller- hardware crypto engine so the microcontroller code never sees raw key material, hardware rate limiting/lockout if possible, reasonable secure boot, maybe even disable firmware upgrades entirely, self-zeroizes if you sneeze at the wrong time, etc. Attacks are still possible, but the cost goes WAY up- at least past the six figure mark, hopefully.
I'd also ban all use of RSA private keys- too easy to mess up generation, and especially since we're "secure hardware" now which means, apparently, we can't generate primes too good. No, EC keys exclusively.
Anyways ...a commodity STM32 is fine for fido2. Not great, but it's fine.
It's almost a nonstarter for PGP, and honestly any PGP support needs a giant warning label that it shouldn't be relied on to protect against physical attacks.
If I leak your keys once- say, through power analysis, glitching, whatever- I can decrypt everything that has ever been encrypted for that key, and everything that ever will be.
Doesn't it depend on the threat model? If your thread model does not include physical access compromise, then the commodity STM32 approach is quite ok right? At least, in most cases it provides more security than storing the private key on disk.
I do agree that given the low prices of secure elements it is surprising that keys still don't use them. But that may depend on the lower-priced parts not being fit for FIDO2 or OpenPGP (though the Nitrokey FIDO does use an ATECC608A).
Okay - So reading through that I get two impressions. They can't release source code because they use proprietary hardware. Secondly they believe that security through obscurity is better than publishing the code for everyone to see.
I doubt they keep it closed as a (dubious) security measure. Likely they believe the source gives them some sort of competitive advantage. (Not saying they're right or wrong about that, just that's likely what they believe.)
This is testable, and also very difficult to falsify without testing it. I'd say there is more value in doing or sponsoring the research to investigate it and I wouldn't cast aspersions on the vendors. They are better than passwords for the majority of consumer and corporate use cases.
The most basic attack and test is to verify and/or reduce the entropy of secret symmetrical (AES) keys in the SE after personalization.
The challenge with hardware security modules is verifying outputs from the same keys but on different devices, because the key is derived/instantiated in the secure tamper proof environment. The whole point is the key doesn't exist anywhere else.
If your threat model includes the intelligence agencies of super powers, your main problem is more diplomatic than technical.
Physical hardware seems like a promising replacement for passwords. But is there any real adoption in consumer services right now? The only two services I know that suppport Fido2 are Google and GitHub. Are there any other big services I'm missing here?
Microsoft supports passwordless login (you can try it out on outlook.com — some ppl refer to this as username less).
Dropbox is also an early adopter.
Plus you have all the u2f that are back compat, including facebook, twitter, aws, gitlab... (I may have confuse some u2f that already moved to webauthn, if so, sorry).
Considering that webauthn was standardized last March and that ios still has no in-app support, that’s a pretty good start, I think.
So the reason for the usernameless / passwordless distinction goes like this:
U2F was explicitly designed only as a second factor. ("Universal 2nd Factor") but WebAuthn is not.
Even with U2F you could (it wasn't recommended) just not actually have passwords. Use their second factor as your only factor. In this scenario the user needs to provide their username (email address, whatever you're using) because their FIDO token doesn't know who they are either -- it needs to be presented with a cookie [which it gave the site when the user registered to use this FIDO token], and you've probably got a database table mapping users to cookies and public keys.
In FIDO2 the token is capable of handling resident credentials. No cookie, resident credentials are permanently inside the token itself.
The massive downside of this is that obviously the token has finite storage for such credentials, a Yubikey can store 25. Whereas for ordinary FIDO (all the WebAuthn deployments I've seen outside Microsoft) there's no practical limit.
The upside is that since the token has your credentials it can now do the entire sign-in, no need for even a username so the login flow is much nicer.
Of course while convenient on its own that's arguably worse security - if a bad guy steals your token they're in without even knowing your username, much like the proximity card badges often used for site access. So the fix is that a FIDO2 token in this mode can be (usually will be) set to require a PIN or some other factor. This seems like we're back to passwords again, but it's different because the extra factor is local to your device. Bad guys can't steal PINs from devices in bulk or brute force them, they need to steal your FIDO2 token and then brute force that somehow.
This comment is accurate. Also, hardware keys can require biometrics or any other way of authenticating you. Currently, Yubikeys erase themselves if you get the PIN wrong three times (if I'm not mistaken on the number), so it's very hard to brute force.
Is this right... so in FIDO2, the website only has to store the public key of the token (which will get sent on registration/signup and mapped to a userid)?
Not the public key, that would violates FIDO's design requirement forbidding correlation. A key pair is minted during registration and the relying party (web site) remembers that specific public key. The FIDO2 device remembers which site it was and its corresponding private key.
That's why it needs storage for each such resident credential on the FIDO2 token.
Both the US and UK governments will let you use FIDO keys as your second factor. Login.gov and the Gov.uk Verify service offered by Digidentity. The Login.gov implementation is especially nice in my opinion.
But still only a single key, right? That basically means that you always need to have a second way to 2FA instead of just having registered two keys (primary and backup).
So I have a SoloKey. How do I check what firmware it is running? Is the firmware upgraded automatically, or do I have to do something? The SoloKey website from some quick skimming doesn't seem to have any information on the topic.
I just did an upgrade to a few keys a couple days ago using solo-python and it was a breeze. Note that you might need to add the udev rules to your Linux machine if they are not detected as explained here: https://docs.solokeys.dev/solo/udev/
Oh my... I saw FIDO2 and immediately (for some reason) thought it was a resurgence of FidoNet: https://en.wikipedia.org/wiki/FidoNet and somehow someone built a new FidoNet with security and audits.
U2F is the old standard, it is only meant be used as a second factor.
WebAuthn is the new standard, it has different modes for usage as a second factor, first factor and single factor (usernameless). Only the usernameless mode requires state on the client side.
Usernameless strikes me as the holy grail of authentication, where we don't need to remember any usernames or passwords (or even have them), but I haven't seen any websites that support usernameless authentication, other than demo ones and my own.
If you want to see what a usernameless flow looks like, you can visit https://www.deadmansswitch.net/. You have to log in with an email link first, and then associate your FIDO2 credential with it. You don't need a hardware key, for example on phones you can use your fingerprint reader and it will work fine.
The problem with hardware keys, and which is not mentioned anywhere, is that because usernameless requires storage on the key, Yubikeys only support a maximum of 25 sites you can authenticate with.
In order to further my goal of some day ditching password managers, I also made a Django library for usernameless logins which you can use today on your Django sites:
https://pypi.org/project/django-webauthin/