@shye hi, does #OpenCloud natively supports #FIDO2?
File encryption is also not perfect?
https://github.com/orgs/opencloud-eu/discussions/253

Pitfalls:

1. When passing -O verify-required to ssh-keygen, you have to disable SSH authentication agent, e.g., using IdentityAgent none in your SSH config. This is a known bug.
2. If you are using custom key files (without id_ prefix), you need to explicitly define path to key file, e.g. using IdentityFile in the config.

#ssh #yubikey #fido2

I settled for non-resident keys. If anyone wants them, they have to torture me twice: once to get the FIDO PIN, and once to get the password to decrypt my hard disk, where the private keys reside.

#threatmodeling #ssh #fido2

If you ever mess up a `git commit --gpg-sign`, for example, because you connected the wrong FIDO key or none at all, you can find your old commit message under `.git/COMMIT_EDITMSG` before trying to commit again.

I'm a little embarrassed that I didn't realize this until this morning...

#git #fido #fido2

Heyo! My Laptop now requires one of my #FIDO2 keys in addition to my 20 char random password for creating a session.
Setting this up with pam was quite easy. Although I just wanted to try this out, I might let it stay in the config, as it doesn't hurt in any way. I carry one of my keys with me any way.

#linux #security

I need your wisdom:

SSH keys on Yubikey:

• Discoverable/Resident, or
• Non-Discoverable/Non-Resident

I really appreciate it, if you could also explain the rationale behind your choice.

Thanks.

#yubikey #ssh #fido2

Blogged: Set the amr claim when using passkeys authentication in ASP.NET Core

https://damienbod.com/2026/01/05/set-the-amr-claim-when-using-passkeys-authentication-in-asp-net-core/

#oauth #openid #openidconnect #iam #security #aspnetcore #dotnet #passkeys #fido2 #mfa

Weiß jemand, ob und wie #YunoHost mit #Fido2 bzw. #Passkey funktioniert?

I login maybe once a year on my domain registrar's website (Gandi). Something has changed in both Firefox/Chromium since last time, because neither of them accepted any of my Yubikeys anymore: it prompted for a PIN, and I don't remember setting one! (I set one on the OpenPGP application, but that PIN is not accepted for FIDO2).

Temporarily disabling FIDO2 allowed the login to succeed as documented here: https://support.yubico.com/s/article/Understanding-YubiKey-PINs https://support.yubico.com/s/article/Enabling-or-disabling-applications
Note that this does *not* reset FIDO2 (Which IIUC would delete the FIDO U2F key too).
In that case IIUC it uses FIDO U2F instead of FIDO2 with a PIN. Although this seems like a bug, why doesn't the browser offer me the option of using U2F when I reject providing a FIDO2 PIN? Clearly all this worked fine several years ago when I initially registered the Yubikeys.
#FIDO2 #Yubikey #U2F

Y una segunda sobre el protocolo FIDO2 y los autenticadores hardware. https://dropthefirewall.pages.dev/es/2025/12/fido2-passkeys-y-los-autenticadores-hardware/ #YubiKey #FIDO2 #MFA #IdentidadDigital #Autenticación #Ciberseguridad

Pünktlich zum #39C3 habe ich mein #Hardwaretoken #Howto erweitert um
#OpenSSH #Authentifizierung.

Ich zeige wie man sich an #SSH Servern einloggen kann mittels #FIDO2 Device Bound #Passkeys à la #Yubikey, #Nitrokey, #Token2 #Thetis etc.

Damit liegt der geheime Schlüssel im Passkey-Token und kann nicht ohne weiteres ausgelesen werden.

Außerdem zeige ich noch wie man einen 2. externen OpenSSH-Server nur für die Hardwaretoken konfiguriert.

Viel Spaß am Gerät

https://www.cryptomancer.de/posts/20251225-opensshfido2/

termius上还可以将fido2作为keychain
突然想起来大一上学期买了一个TrustKey T120
试着配置突然想起来自己忘记了PIN
去官网找到了reset方法和管理软件
PDF：https://www.trustkey.jp/manual/biomanager_user_manual_eng_v3.3.pdf
Download：https://www.trustkeysolutions.com/en/sub/support.form

ok重置好pin🔒和指纹🫆了

#trustkey #pin #fido2 #termius #t120 #pin #fingerprint #ssh

ich finde, Internetdienste bei denen ein Schaden entstehen kann (Kommunikation, Finanzen, Waren, Dienstleister) sollten IMMER Hauptschlüssel und physische Passkeys anbieten.

Es kann im Zeitalter von Big Data doch nicht sein, dass man mich zur Passwortwiederherstellung nach dem Geburtsnamen meines ersten Autos/Meerschweinchens/Mutter fragt! Bei Schantal vom Nagelstudio steht das alles vollständig auf Facebook!

#fido2 #passkey #windowshello

#Passkeys are everywhere nowadays
#windowshello #fido2 #androidpasskeys #token2

I myself switch to passkeys for any supported service. Have a look here if your services are supported: https://www.passkeys.io/who-supports-passkeys

Understanding why they're more secure and why they are able to be used in so many different shapes is not as easy.

Computerphile just released a greate video about the technology and the authentic flow:
https://www.youtube.com/watch?v=xYfiOnufBSk

Is this something #fido2 on a physical key device would solve? Maybe you mail your customers two keys (a spare and a regular) and have them register both? If one key ever gets lost, the person could contact you for a replacement or buy their own?

I actually looked at the NCSC guidance for this and was confused at how much they harped on the "ooooh, but people might not like if they have to pay for their own keys, and normally you wouldn't provide these keys for free!" If that's such a major flaw in the use of these hardware keys... why don't services build the cost of providing them in? weird

This week in #FDroid (TWIF) is live since yesterday:

* #EU #DMA for you and me
* @mimi89999 gives us a reason to activate #NFC #Passkeys #FIDO2
* get the app phone manufacturers hate: #CircleToSearch
* #PeerTube is ready for creators
* #QUIK #SMS got a new appid, did you switch yet?
+ 19 new apps
& 160 updates
- 2 app archived

Touch that special place: https://f-droid.org/2025/12/18/twif.html

RE: https://infosec.exchange/@firstyear/115732757007000830

I have to wholeheartedly agree.

While I do like passkeys, I do like Webauthn & CTAP – the user experience sucks. On my new Android phone I would like to just login again - most of my passkeys are stored on my Yubikey.

Yet most apps randomly do or do not allow me to use it. Sometimes they want to force the password manager. For logging into my Microsoft mail account I was only allowed to select my password manager, although I only have registered my Yubikey. After log in (with password+TOTP) it started the registration flow to store a passkey in my password manager twice.

The only app that did it right is Discord: It asks of you want to use a password manager, the system native implantation (Google, I guess?) or a hardware key for registration and login. Yet I have no idea why this dialogue is not offered by the OS itself.

#Passkey #webauthn #fido2

@thoralf

Kann deine Einschätzung 100% verstehen. Ich habe mich für die Option Vpn only entschieden, da die Apps den letzten Stand cachen.
Geräte mit Addin (Notebook) ist in meinem Fall immer mit über Vpn mit meinem Exit Node verbunden. Dadurch habe ich weitere Features wie Web Filter und meine heimische Firewall.

Generell habe ich folgende Ideen:
- Nutzung von #fido #fido2 -Stick/ #passkey
- #cloudflare Zero Trust Tunnel mit Access-Filter

Gib gerne ein Update wie du dich entschieden hast.

Passwords are yesterday’s defense. 🔐

Hardware security keys using FIDO2/WebAuthn give you phishing resistant logins with a tap, and they work across major services like Google, Microsoft, and many password managers.​

New TechGlimmer guide explains:

How hardware keys work

Why they are stronger than SMS or app codes

What to look for (USB‑C, NFC, platform support) when choosing a key.​

Read more: https://techglimmer.io/learn-about-hardware-keys-guide/

#SecurityKeys #Passkeys #FIDO2 #WebAuthn #InfoSec #Privacy

Wow! I've just discovered that it's possible to use Secure Element as #u2f in GrapheneOS via hw-fido2-provider [1] (btw, thank you @S1m) in Vanadium even without any external token. Successfully added my Pixel smartphone as second factor device to my addy.io account. It works finally!

1. https://codeberg.org/s1m/hw-fido2-provider

#GrapheneOS #vanadium #vanadiumbrowser #fido2 #u2f #addyio #AnonAddy