Lmst
Login

#CTAP

Varbin :arctic_fox: ​:gay_furr:varbin@infosec.exchange
2025-06-04

I am a bit unhappy of the development of CTAP2 - the protocol that powers security keys (e.g. Yubikeys).

In the beginning there was U2F (now called CTAP1). You can register, and log in. There already is some complexity, since different transports (BLE, USB, ...)

CTAP2.0 added a PIN or biometrics for additional verification. As it is possible to built authenticators on already existing security hardware (like a TPM), there are a dozens of different attention formats. Credentials can be stored on the authenticator. You can also have symmetric credentials.

CTAP2.1 add another protocol for PIN authentication (only marginally better), and now you may manage your stored credentials (maybe, if the manufacturer imemented it). PIN and biometrics authentication is streamlined, but authenticators need to support both the old and new flow. Enterprises can have a new attestation format, to! Symmetric credentials are secure now.

CTAP2.2 adds JSON encoded messages (optionally), adds more complexity to PIN authentication and support for non-fido credentials.

I think the protocol just got a lot more complex while loosing the focus of what authenticators should do, and do well.

#ctap #Passkeys #webauthn

Varbin :arctic_fox: ​:gay_furr:varbin@infosec.exchange
2025-05-23

Does somebody know *why* CTAP2.x ("FIDO2") tokens do not authenticate the key exchange to protect the transmitted PIN from the client device to the authenticor?

Background: When you enter your PIN for a FIDO2 authenticator (e.g. Yubikey), the PIN is encrypted, and only a truncated SHA-256 hash is transmitted. The encryption key is chosen by unauthenticated ephermal ECDH key exchange. As the PINs usually have low entropy, they can be brute forced by an attacker who performs an active MITM attack.

Some smart cards (e.g. the German eID or other Biometric Passports) use PACE nowadays to protect such a key exchange with a PIN or another low-entropy secret (such as the document number) - other password authenticated key exchanges (PAKEs) would certainly be possible as well.

Are active MITM attacks considered to be negligible for the common transports (USB, NFC, Bluetooth) of Webauth? Or are there other reasons why a PAKE is not used?

#ctap #fido #cryptography

xyhhx 🔻 (plz hire me)xyhhx@nso.group
2025-03-28

browsers should implement a standard webauthn element / input type so that js-free websites could use webauthn too...

#webauthn #browsers #security #fido2 #ctap

Lukas Rotermundlukasrotermund@social.tchncs.de
2024-12-16

Are you still using old, smelly, musty passwords? And then there's the annoying task of typing in numbers/TOTPs all the time? Then FIDO2 might be for you.

In my latest blog post, I explain what FIDO2 is and how it makes passwords and TOTPs obsolete. And it's available for little or no money.

I look forward to hearing your thoughts on this article. Feel free to share it; FIDO2 needs more attention, even from non-technical users!

#fido2 #ctap #webauthn #password #yubi

lukasrotermund.de/posts/how-fi

Claudius Linkrealn2s@infosec.exchange
2024-05-17

I'm looking for a good overview/comparison of different #MFA/#2FA or #PasswordLess authentication protocols.

The recent #Fido2 #MitM risk made me aware that I need to learn more.

Pointers and #BoostWelcome

#fedipower #wisdomOfTheCrowd #FollowerPower

As the best way to get an answer on the internet, is to state something wrong, let's try this 😜

#FIDO and FIDO2 are actually a whole set of (related?) protocols.
FIDO includes FIDO #UAF (Universal Authentication Framework) and FIDO #U2F (Universal Second Factor).

FIDO2 is the "successor" of FIDO and consists of two parts.
#WebAuthn and #CTAP (Client to Authenticator Protocol). From the name I would guess that WebAuthn is for web stuff (requiring browser support) and CTAP is for IT infrastructure stuff (???)

#Passkey is based on #Fido2
Other related concepts or protocols are #OTP (one-time passwords), #TOTP (Time-based One-time Password) and #HOTP (“H” in HOTP stands for Hash-based Message Authentication Code (HMAC))

Not sure how #SmartCards play into this.

And not sure which of these methods would work for an offline authentication login into your laptop (and ideally also as key for whole disk encryption)

WilhelmWilhelm@pirati.ca
2023-01-31
This kept bothering me so I read up about current state of #CTAP support in #Firefox.



caniuse.com/u2f is a good starting point. They list FIDO U2F API support which is now called #CTAP1 as per www.yubico.com/resources/gloss…

CTAP1 is supported in Firefox v67-110 while v111 shows 2 Support can be enabled with the security.webauth.u2f flag. Enabling that flag does not resolve the problem, which is odd, since USB HID support was implemented in Firefox and is listed as supported after altering the flag. CTAP1 is not going anywhere and will be dropped in favor of CTAP2 as per bugzilla.mozilla.org/show_bug.… which got closed as wontfix 4 days ago with comment the u2f interface is being removed in favor of webauthn.

caniuse.com/webauthn translates to CTAP2 as per www.yubico.com/resources/gloss…

Support for CTAP2 and while CTAP1 is unofficially supported CTAP is the W3C recommendation.
Web Authentication - Support #CTAP2 via USB HID (bugzilla.mozilla.org/show_bug.…) was added to v109 and got closed 2022-12.

The confusing part is while Support CTAP2 via USB HID, which translate to use your YubiKey as external factor while plugged into a USB port and used as human interface device to confirm login, is imlemented, login neither works in v109 or v111.

And there our travels end... or so you thought. The rabbit hole - of course - goes much deeper. There's also github.com/mozilla/authenticat… which got closed in 2019. The person closing the issue does not remember why they closed the ticket. They were let go in 2020 (probably during the big cut) and were kind enough to follow up to questions on that GitHub issue after no longer being responsible, which is great. github.com/mozilla/authenticat… was filed to re-open the unfinished issue #33 which got closed. Then issue 33 got re-opened.

And there is [meta] Support CTAP2 (FIDO2) Passwordless Web Authentication: bugzilla.mozilla.org/show_bug.…

But that to me seams to cover much more than what I intended to use. After all the login to AppleID still requires email + password, so we are not talking about a passkey or passwordless login.

The best option currently is probably to watch bugzilla.mozilla.org/show_bug.… Enable FIDO CTAP2 support in Firefox nightly and once that is addressed, do another test round.

Sadly it seams Firefox is not there yet and as always patience is a virtue 😇

These posts get so little feedback I am wondering if anybody is reading them. Let me know. Also are you using a #Yubikey as #2FA or password replacement? Using #Passkeys already? And if yes, with which browser?
Milena LeyboldMilenaKLey@sciences.social
2023-01-17

Sad to see how well my research interests speak to each other: content moderation practices and alternative approaches to IP in the Covid-vaccine context! #CTAP #OpenSourceVaccines #Censorship

theintercept.com/2023/01/16/tw

Karl Emil Nikkakarlemilnikka
2022-05-15

Our podcast colleagues at “IT-säkerhetspodden” just published a new episode (in English) describing Yubico’s proposed backup solution for WebAuthn, called ARKG.

Interview: itsakerhetspodden.se/podcast/1

More info on ARKG: yubico.com/blog/yubico-propose

peratrobador
2021-07-04

RT @Winnie_Byanyima@twitter.com: The Alliance advocates for 3 urgent actions to maximize global vaccine manufacturing:
1) sharing technology & know-how via @WHO@twitter.com's
2) at @WTO@twitter.com
3) investing in enhancing manufacturing capacity in developing countries, especially in Africa.

Commonifycommonify@social.anoxinon.de
2021-01-30

That's it: #Vaccines must be a legal #commons! Also: the #EU and the #EUCommission had more opportunities 2 support a #commons approach towards drugs/vaccines. Could have pushed 4 #waiver proposed by India/SA or strongly support #CTAP from early on; #IP #Patentetöte
---
RT @fuchschristian
If #EUCommission had demanded that #AstraZeneca does not copyright its vaccine and had insisted that the vaccine must be made a legal commons, the…
twitter.com/fuchschristian/sta

Commonifycommonify@social.anoxinon.de
2021-01-30

Did #EUCommission really use opportunities 2support a #commons approach towards drugs/vaccines? ->pushing 4 #waiver proposed by India/SA or strongly supporting #CTAP from early on; What abt th other vaccines? Wd U pls point me 2relevant articles re Commissions position&policy?
---
RT @fuchschristian
If #EUCommission had demanded that #AstraZeneca does not copyright its vaccine and had insisted that the vaccine must be made a legal c…
twitter.com/fuchschristian/sta

puresickpuresick@toot.cafe
2019-03-10

“The passwordless web explained”

#security #web #passwordless #fido2 #webauthn #ctap

nakedsecurity.sophos.com/2018/

Mark Shane Haydenmsh@coales.co
2018-04-11

Glad to see #webauthn and #ctap get published...step in the right direction to put authentication in the right place.

theregister.co.uk/2018/04/11/f

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst