Firstyear's blog-a-log
fy.blackhats.net.au
Firstyear's blog
    • jet@hackertalks.comEnglish
      3·
      9 months ago

      https://developers.yubico.com/Passkeys/Passkey_concepts/Discoverable_vs_non-discoverable_credentials.html

      While non-discoverable credentials are not considered passkeys, you should still be aware of them as there are still a number of valid scenarios where your application will need to support the use of them - especially as they are still valid WebAuthn credentials. These are credentials that cannot be generically invoked by a relying party. Instead a user will need to prompt the relying party with a username (user handle) to have the application provide a list of credential IDs to denote which credential(s) can be leveraged for authentication.

      Fido2 webauthn non-discoverable credentials are completely unlimited. Because the private key is on the yubikey directly. The only downside of this, is you have to type in your username first, but I think that’s an upside personally. I do not want anybody who compels disclosure of my hardware security key, to see all the accounts on it.

        • jet@hackertalks.comEnglish
          2·
          9 months ago

          The non-discoverable keys cannot be removed from the device. The secret is non-transferable.

          In the yubikey bio series, this is implemented as a second factor. So you log in, and then present your hardware key as a second factor. You need your fingerprint, the key, your username. Fairly secure.

          I think this is a more secure model than pass keys as they’re being promoted today