With USB/IP, I can now use my YubiKey remotely via SSH in the same way as I was sitting in front of my machine. Both in early boot stage (initrd); unlocking LUKS encrypted filesystem, and in booted system stage; signing git commits and authenticate to GitHub. Great! But what about using FIDO2/WebAuthn via RDP to log in to web services? USB redirection is not supported for xrdp. Is there any workarounds coming up to for example redirect WebAuthn from one machine to another?
Recent searches
Search options
Administered by:
#fido2
3 posts3 participants0 posts today
Replied in thread
@bsi Sorry, starke Passwörter mit 2FA oder #Passkeys helfen leider nicht prinzipiell gegen Phishing.
Gerade bei der Methode mittels Smartphones kann man seine Passkey-Geheimnisse in die Cloud als auch zu anderen Personen transferieren. Das ist der Knackpunkt. In Zukunft zielt #Phishing dann halt auf die Übermittlung der Geheimnisse zum Angreifer ab.
https://arxiv.org/abs/2501.07380 "Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker." -> Schutz nur bei ausschließlich "device-bound passkeys" in der "roaming-authenticator"-Variante = Hardware #FIDO2 Tokens. Die sind aktuell det einzige Schutz gegen Phishing.
Aber alles ist besser als kein #2FA.
arXiv.orgDevice-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey AuthenticationWith passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.
Researcher demonstrates a software-only attack on WebAuthn by forging passkey signatures via Chrome's DevTools protocol. PoC bypasses security prompts, automates login, and exposes weak RP validation.
www.nullpt.rsForging Passkeys: Exploring the FIDO2 / WebAuthn Attack SurfacePasswords are dying and passkeys are taking over. In this post we tear apart WebAuthn and build our own software FIDO2 authenticator from scratch.
Replied in thread
@martinsteiger
Das liegt aber nicht an #mTAN per se, sondern an der Applikation/Firma, die mTAN einsetzt.
Auch bei #FIDO2-Keys sind die Prozesse nicht abhängig vom Key, wie man Notfallkeys (rechtzeitig, also vor Verlust/Defekt des Keys) bekommt bzw. wie man danach – in Ermangelung von Notfallkeys – einen #2FA-Reset sicher triggert
#Passkeys are for people who only use one device to access the Internet, or multiple devices that are all made by AAPL/GOOG.
If you use Firefox on Ubuntu, Edge on Windows, Safari on Mac OS, and Chrome on ChromeOS you will have a bad time.
Explain #passkeys to me like I'm your grandparents.
I have wanted to use my Yubikeys for a secure SSH login for some time now. But like @jgoerzen, I have come across many incorrect, poorly explained and inadequately explained instructions. It looks like John has now written the ultimate guide for #SSH with #FIDO2/U2F hardware keys that beats all other guides I know of.
https://www.complete.org/easily-using-ssh-with-fido2-u2f-hardware-security-keys/
www.complete.org · Easily Using SSH with FIDO2/U2F Hardware Security KeysA lot of new hardware security keys (Yubikey, Nitrokey, Titan, etc.) now support FIDO2 (aka U2F aka Webauthn aka Passkey; yes it’s a mess).
So does OpenSSH.
This spells good news for us, because it is far easier to use than previous hardware security types (eg, PKCS#11 and OpenPGP) with ssh.
A key benefit of all this, if done correctly, is that it is actually impossible to access the raw SSH private key, and impossible to use it without the presence of the SK and a human touching it.
Very happy to finally be able to use my yubikeys on my phone (GrapheneOS, without Play services) 
Most of the pieces were already there, it only missed to be assembled into a Credential Provider, which is finally done with HW Fido2 Provider
Codeberg.orghw-fido2-providerhw-fido2-provider
G◍M◍◍T 
Microsoft: nuovi account senza password e con passkey di default
https://gomoot.com/microsoft-nuovi-account-senza-password-e-con-passkey-di-default/
Gomoot : tecnologia e lifestyle Scopri le ultime novità in fatto di hardware, tecnologia IA e altro · Microsoft: nuovi account senza password con passkey defaultMicrosoft cambia le regole del gioco: i nuovi account Microsoft non avranno più password ma solo sistemi alternativi come passkey e riconoscimento biometrico.
Occasionally Google prompts me to create a passkey immediately after I signed in with one. I cancel and move on. No big deal, but it seems quite obtuse. They know I have multiple registered and that I just used one of them. #Fido2 #Passkey #Passkeys #Google #GoogleWorkspace
Replied in thread
docs.yubico.comFirmware Overview — YubiKey Technical Manual documentation
LemonLDAP::NG 2.21 is out!
This new release includes improvements on OpenID Connect and CAS protocols, Loki logger, public notifications and much more.
Read our release notes: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-21-0-is-out/
Replied in thread
@fleaz : it's not MultiMultiFactorAuthentication but 1FA max.
Assuming that you don't use those hardware keys to generate TOTP codes (which are pointless when confronted with the likes of #Evilginx2), but use WebAuthn instead (FIDO2 passkeys in hardware keys), everything depends on one factor: the domain name of the website.
DV-CERTS SUCK
It is not very common that certificates are issued to malicious parties, but it *does* happen now and then (https://infosec.exchange/@ErikvanStraten/112914050216821746).
SUBDOMAINS
Furthermore, sometimes organizations have "dangling" subdomain names. For example,
test.example.com
may point to the IP-adress of some cloud server no longer used by example.com. Anyone with write access to that server may install a fake "test.example.com" website and phish you to it. It *may* be used to phish your WebAuthm credentials *if* "example.com" does not explicitly *DENY* WebAuthn from "test.example.com".
See https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 for how Google prevents "sites.google.com" from authenticating to "google.com".
DNS HACKED
It may not be neccessary to execute BGP-hijacks to redirect network traffic to an impostor: it also all depends on how reliable DNS records are protected against unauthorized access. If the dude in charge for DNS uses a stupid password only, or the DNS provider is easily fooled into believing "I forgot my creds", it's game over. The crooks will obtain a DV-cert in no time, no questions asked, for free.
All the bells and whistless are moot if there's an alternative way to log in (such as by using a 1FA rescue code) and the user is fooled into providing it (after they've been lied to that their WebAithn public key on the server became corrupted or was lost otherwise).
Cloudflare MitM's https connections (it's not a secret: https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/). The same applies to any server you log in to, which is accessible by untrustworthy personnel. They can steal your session cookie.
In the end MFA/2FA is a hoax anyway, because the session cookie (or JWT or whatever) is 1FA anyway.
Did I mention the risks of account lockout with hardware keys that cannot be backupped? And the mess it is to keep at least one other hardware key synchronized if it's in a vault? And the limitation of, for example, 25 WebAuthn accounts max? And (unpatcheable) vulnerabilities found in hardware keys? And their price? And how easy it is to forget or loose them?
Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒
🧵#3/3
Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents!
2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ (src: https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/)
2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots
2023-11-03 jabber.ru MitMed/AitMed in German hosting center https://notes.valdikss.org.ru/jabber.ru-mitm/
2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the
2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks https://blog.lacnic.net/en/routing/a-brief-history-of-the-internets-biggest-bgp-incidents
2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/
2022-09-09 Celer Bridge incident analysis https://www.coinbase.com/en-nl/blog/celer-bridge-incident-analysis
2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack https://www.bankinfosecurity.com/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518
🌘BACKGROUND INFO🌒
2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites
(Dan Goodin - Aug 1, 2024) https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/
2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee
Edited 2024-09-05 14:19 UTC: corrected the link for the "jabber.ru" incident.
#DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins
I'd love if there was a website like https://www.passkeys.io/who-supports-passkeys which showed which websites also support *non-resident* #FIDO2 authentication as opposed to resident #Passkey. Let's reward sites that have that support!
www.passkeys.ioWebsites and Apps with Passkey SupportSee which websites and applications already support Passkeys as an authentication method or are currently working on integrations.
(plz hire me) browsers should implement a standard webauthn element / input type so that js-free websites could use webauthn too...
#TroyHunt fell for a #phishing attack on his mailinglist members: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
Some of the ingredients: #Outlook and its habit of hiding important information from the user and missing #2FA which is phishing-resistant.
Use #FIDO2 with hardware tokens if possible (#Passkeys without FIDO2 HW tokens are NOT phishing-resistant due to the possibility of being able to trick users with credential transfers: https://arxiv.org/abs/2501.07380) and avoid Outlook (or #Microsoft) whenever possible.
Further learning: it could happen to the best of us! Don't be ashamed, try to minimize risks and be open about your mistakes.
Note: any 2FA is better than no 2FA at all.
Troy Hunt · A Sneaky Phish Just Grabbed my Mailchimp Mailing ListYou know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
People who use hardware security keys: Storing them in geographically diverse locations is a wise move but makes it impossible to quickly onboard. How do you keep track of where you’ve registered each key? A checklist in a spreadsheet is obvious but cumbersome. Is there a better way? (Yes I use passkeys extensively but for certain services like email, iCloud, and my password manager, a hardware option is desirable if not mandatory.) #YubiKey #YubiKeys #FIDO #FIDO2 #FIDOKey #FIDOKeys #Security
Replied in thread
@red_rooster
Du kannst auch einen FIDO2 Stick verwenden - wo das halt geht.