Password-free authentication – FIDO2 and WebAuthn
Lost Token?
One inherent problem is the loss of a token, which raises the question of what recovery functions are offered by the online store. Even before WebAuthn, crypto guru Bruce Schneier warned [21] that any service that implements security questions (e.g., asking for the mother's maiden name to reset the password) can also dispense with password rules.
With WebAuthn, only a new account – creating a new credential with a new token – seems to be the solution. How the operators put this into practice will probably only be shown by implementations on bank and credit card sites, which is where you separate the chaff from the wheat today (e.g., with requirements for passwords or online banking procedures).
Compared with the long-known vulnerabilities of the popular mobile transaction authentication number (mTAN) method [22], however, FIDO2 is a great achievement with a huge amount of potential. The new standard is also unlikely to remove completely the need for web users to use passwords, TANs, and cryptographic keys.
Infos
- Fido the dog: https://en.wikipedia.org/wiki/Fido_(dog)
- Abraham Lincoln's dog: https://americacomesalive.com/2013/07/17/abraham-lincolns-dog-fido/
- FIDO Alliance: https://fidoalliance.org
- Fidonet: https://www.fidonet.org
- FIDO Alliance members: https://fidoalliance.org/participate/members-bringing-together-ecosystem/
- Yubico: https://www.yubico.com
- EMVCo: https://www.emvco.com/about/overview/
- W3C WebAuthn standards: https://www.w3.org/TR/webauthn/
- Vision of the FIDO Alliance: https://fidoalliance.org/approach-vision/
- Firefox and WebAuthn: https://www.cnet.com/news/firefox-moves-browsers-into-the-post-password-future-with-webauthn/
- Chrome, Edge, and WebAuthn: https://www.telecompaper.com/news/chrome-edge-firefox-to-support-new-log-in-standard-webauth--1239550
- Instructions for Mozilla and WebAuthn: https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-the-webauthn-api/
- FIDO Alliance developer resources: https://fidoalliance.org/participate/developers/
- Google's developer resources for FIDO: https://developers.google.com/android/reference/com/google/android/gms/fido/Fido
- Yubico Python script: https://github.com/Yubico/python-fido2/blob/master/examples/credential.py
- Report from the RSA conference: https://fidoalliance.org/rsa-conference-wrap-up-successful-launch-of-fido2-authentication-with-more-to-come/
- YubiAuth LDAP setup: https://developers.yubico.com/yubiauth/LDAP_Setup.html
- CTAP with LDAP: http://ldapwiki.com/wiki/Client%20To%20Authenticator%20Protocol
- FIDO2 server: https://github.com/apowers313/fido2-server-demo
- StrongKey appliance: https://strongkey.com/key-appliance/
- "The Curse of the Secret Question" by Bruce Schneier: https://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html
- mTAN: https://en.wikipedia.org/wiki/Transaction_authentication_number
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)