Firstyear's blog-a-log
fy.blackhats.net.au
Firstyear's blog
      • jet@hackertalks.comEnglish
        3·
        10 months ago

        https://developers.yubico.com/Passkeys/Passkey_concepts/Discoverable_vs_non-discoverable_credentials.html

        While non-discoverable credentials are not considered passkeys, you should still be aware of them as there are still a number of valid scenarios where your application will need to support the use of them - especially as they are still valid WebAuthn credentials. These are credentials that cannot be generically invoked by a relying party. Instead a user will need to prompt the relying party with a username (user handle) to have the application provide a list of credential IDs to denote which credential(s) can be leveraged for authentication.

        Fido2 webauthn non-discoverable credentials are completely unlimited. Because the private key is on the yubikey directly. The only downside of this, is you have to type in your username first, but I think that’s an upside personally. I do not want anybody who compels disclosure of my hardware security key, to see all the accounts on it.

          • jet@hackertalks.comEnglish
            2·
            10 months ago

            The non-discoverable keys cannot be removed from the device. The secret is non-transferable.

            In the yubikey bio series, this is implemented as a second factor. So you log in, and then present your hardware key as a second factor. You need your fingerprint, the key, your username. Fairly secure.

            I think this is a more secure model than pass keys as they’re being promoted today