|
- trusted computing - Information Security Stack Exchange
Is it possible to inspect data (pubkeys, domain names used for webauthn, not private keys) related to private keys stored in the TPM on Windows? I legally own the hardware and have maximum permiss
- authentication - Will sky fall if I dont verify . . .
Through reading the WebAuthn spec and related MDN docs, I understand that unlike "certificate signing requests", FIDO Passkey can have various different attestation formats and verification methods algorithms during public-key credential registeration
- What is the proper procedure to allow users to reset their passkey
What is the best practice for allowing users to reset a passkey (WebAuthn)? Should I just have them click a link in their email like it was a password, or is there a more secure way of doing it?
- Use platform TPM as U2F for web applications
Using Edge Chrome you should be able to use Windows as Fido2 platform authenticator (check Windows Hello system settings) Already did that via webauthn io Set "Authenticator type" to "Platform (TPM)"
- FIDO and FIDO2 differences - Information Security Stack Exchange
FIDO2: Second iteration (with CTAP and Webauthn) --> Partially right about FIDO2 0 It comprised of WebAuthn (the Browser API) W3C standard and CTAP2 (the authenticator API) (formally known as U2F CTAP1) and also FIDO Alliance relabeled U2F as CTAP1
- How do FIDO keys prevent MITM reflection attacks?
WebAuthn and U2F are authentication protocols, establishing a secure connection is outside their scope If the user's connection isn't encrypted, if the cipher suite being used is broken, or if the user trusts a MitM's certificate, it's game over
- Why do some services require a hardware-based passkey and others allow . . .
Of course GitHub is able to set options for the WebAuthn registration ceremony (and they do in the data-webauthn-register-request attribute of the form element), but WebAuthn has no option to enforce the use of a hardware authenticator, let alone one with a touch sensor
- Windows Certificates - where is private key located?
In Windows 10: When I load a certficate into the "Current User" store, it puts a private key file here: C:\Users\ [userID-A]\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-xxx\pkfileqreflr8
|
|
|