Lmst
Login

#CTAP2

:hacker_p: :hacker_f: :hacker_t:pft@infosec.exchange
2025-05-12

Anyone familiar with #FIDO2 / #Passkeys could you please #help me here?

Accoding to Yubico docs on Passkey, the client/client device uses #CTAP2 to communicate with platform authenticators. This sounds a bit strange to me, aren't there internal APIs on the platform that are called here? Isn't CTAP2 exclusive to #roaming authenticators?

#advice #thaks

developers.yubico.com/Develope

0xKaishakunin0xKaishakunin
2025-02-18

Auf den werde ich einen Vortrag zu passwortlosen Logins mit halten. Insbesondere zu den Gefahren des Lock Ins in eine Hersteller-Cloud, zu Hardware Tokens und natürlich zur dahinter

chemnitzer.linux-tage.de/2025/

Sami Lehtinensl@pleroma.envs.net
2023-02-19
#Firefox #Linux Fix the #CTAP2 plz! #FIDO2 #FIDO #WebAuthn #SecurityKeys #2FA
Matthew Miller :donor:iamkale@infosec.exchange
2023-02-01

Well this is an exciting development: #Firefox 110 on #macOS is finally getting #CTAP2 support! This means it can finally support passwordless use of #WebAuthn with security keys 🔥

To test this out for yourself, go to about:config, set security.webauthn.ctap2 to True, then give it a shot. It's just a matter of time before this is turned on by default 🎉

WilhelmWilhelm@pirati.ca
2023-02-01
And here is the PR to enable #CTAP2 by default in #Firefox nightly 🚀
bugzilla.mozilla.org/show_bug.…
WilhelmWilhelm@pirati.ca
2023-01-31
This kept bothering me so I read up about current state of #CTAP support in #Firefox.



caniuse.com/u2f is a good starting point. They list FIDO U2F API support which is now called #CTAP1 as per www.yubico.com/resources/gloss…

CTAP1 is supported in Firefox v67-110 while v111 shows 2 Support can be enabled with the security.webauth.u2f flag. Enabling that flag does not resolve the problem, which is odd, since USB HID support was implemented in Firefox and is listed as supported after altering the flag. CTAP1 is not going anywhere and will be dropped in favor of CTAP2 as per bugzilla.mozilla.org/show_bug.… which got closed as wontfix 4 days ago with comment the u2f interface is being removed in favor of webauthn.

caniuse.com/webauthn translates to CTAP2 as per www.yubico.com/resources/gloss…

Support for CTAP2 and while CTAP1 is unofficially supported CTAP is the W3C recommendation.
Web Authentication - Support #CTAP2 via USB HID (bugzilla.mozilla.org/show_bug.…) was added to v109 and got closed 2022-12.

The confusing part is while Support CTAP2 via USB HID, which translate to use your YubiKey as external factor while plugged into a USB port and used as human interface device to confirm login, is imlemented, login neither works in v109 or v111.

And there our travels end... or so you thought. The rabbit hole - of course - goes much deeper. There's also github.com/mozilla/authenticat… which got closed in 2019. The person closing the issue does not remember why they closed the ticket. They were let go in 2020 (probably during the big cut) and were kind enough to follow up to questions on that GitHub issue after no longer being responsible, which is great. github.com/mozilla/authenticat… was filed to re-open the unfinished issue #33 which got closed. Then issue 33 got re-opened.

And there is [meta] Support CTAP2 (FIDO2) Passwordless Web Authentication: bugzilla.mozilla.org/show_bug.…

But that to me seams to cover much more than what I intended to use. After all the login to AppleID still requires email + password, so we are not talking about a passkey or passwordless login.

The best option currently is probably to watch bugzilla.mozilla.org/show_bug.… Enable FIDO CTAP2 support in Firefox nightly and once that is addressed, do another test round.

Sadly it seams Firefox is not there yet and as always patience is a virtue 😇

These posts get so little feedback I am wondering if anybody is reading them. Let me know. Also are you using a #Yubikey as #2FA or password replacement? Using #Passkeys already? And if yes, with which browser?
eternaltyroeternaltyro
2022-12-12

@bitwarden @iamkale @mozilla yeah I know. But that's not really what I'm talking about. it is a welcome progress nonetheless. Once lands their implementation, I'd like to see seamless passwordless authentication through passkeys or security device.

Rick Osbornerick@rickosborne.org
2022-12-01

Tech-savvy Ops-type people of Mastodon, I have a desired UX question for you.

I would like to configure PAM on my Linux instances to *not* prompt me for a password when I sudo, but instead do a mobile app push. Like a passkey or Okta Verify or similar. I am *not* looking for a U2F/CTAP1/Yubikey-type solution. I am specifically looking for CTAP2 with a mobile app.

Does this exist yet? Everything I'm finding around PAM for this seems to be focused on U2F, not CTAP2.

#Ops #CTAP2 #Linux #Authentication

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst