Hey today i wanted to use my @nitrokey #nitrokey3 but i recognise that it does no support Smartcard over #NFC (just #fido #webauthn ).
#Fido
Facebook führt Passkeys ein - sicherer Login per Fingerabdruck oder PIN
#technews #meta #messenger #datenschutz #facebook #sicherheit #passkeys #login #fido #biometrie
Fido is increasing prices for some customers by $5/month.
Me: People, check your invoices!
https://mobilesyrup.com/2025/06/18/fido-increasing-some-customer-bills-by-5/
- - -
Fido augment les prix de certains clients par 5$/mois.
Moi: Gens… vérifiez vos factures!
// Article en anglais //
#SBI証券スマートアプリ を入れてみたんだけど物凄い欠陥アプリ。
#FIDO って自分が所有しているものを鍵として扱うから安全なんじゃないの?それなのにアプリで生成した認証コードを、鍵として登録されていない他の端末に読み込ませるだけでログインさせちゃうってどういう判断なの?そんなの偽サイトでSNSやメールで送られたコードを狙う詐欺のリスクと何も変わらんよ。
#SBI証券
Just read a great blog post by @dennis_kniep about a novel Device Code #phishing technique that can bypass even #FIDO 😱
The attack dynamically starts the #OAuth flow when the victims click a link, uses a headless browsers to automate code entry - eliminating the usual 10-minute window.
Even worse: Victims authenticate on the real website, so there's no suspicious URL to tip them off.
Great technical write-up with PoC included 👏
https://denniskniep.github.io/posts/09-device-code-phishing/
Does somebody know *why* CTAP2.x ("FIDO2") tokens do not authenticate the key exchange to protect the transmitted PIN from the client device to the authenticor?
Background: When you enter your PIN for a FIDO2 authenticator (e.g. Yubikey), the PIN is encrypted, and only a truncated SHA-256 hash is transmitted. The encryption key is chosen by unauthenticated ephermal ECDH key exchange. As the PINs usually have low entropy, they can be brute forced by an attacker who performs an active MITM attack.
Some smart cards (e.g. the German eID or other Biometric Passports) use PACE nowadays to protect such a key exchange with a PIN or another low-entropy secret (such as the document number) - other password authenticated key exchanges (PAKEs) would certainly be possible as well.
Are active MITM attacks considered to be negligible for the common transports (USB, NFC, Bluetooth) of Webauth? Or are there other reasons why a PAKE is not used?
If we want a passwordless future, let's get our passkey story straight
Passkeys are based on public key cryptography, where two keys are paired. One key is public and can be shared with anyone, while the other is private and shared with no one.
#passkey #password #paswords #fido #cryptography #security #cybersecurity #infosec
https://www.zdnet.com/article/if-we-want-a-passwordless-future-lets-get-our-passkey-story-straight/
💡 Microsoft: nuovi account senza password e con passkey di default
https://gomoot.com/microsoft-nuovi-account-senza-password-e-con-passkey-di-default/
#blog #fido #fido2 #microsoft #news #password #passwordless #picks #tech #tecnologia #windows
Mobile tethering becomes a paid add-on for new signups to Fido.
https://www.iphoneincanada.ca/2025/04/15/fido-starts-charging-for-tethering-hotspot-no-longer-free/
- - -
Le partage de connexion mobile devient une option payante pour les nouveaux abonnés chez Fido.
// Article en anglais //
I'm sure there is a simple, totally obvious reason (no trusted central authority problem?) but it seems kind of strange to me that the #Fediverse doesn't allow me to truly use a single login across services via some kind of #FIDO compliant magic, considering that almost everyone is an #infosec person and/or developer. Admittedly, I haven't thought about this too deeply. Also, where's passkey support? #saml #sso
Rogers to charge their customers (including Fido) $3/month for 2G and 3G access. It will not apply if the phone connects to 4G or 5G. Network to shutdown starting 31 July 2025.
https://mobilesyrup.com/2025/04/07/rogers-fido-3g-fee-may/
- - -
Rogers facturera ses clients (incluant Fido) 3$/mois pour l’accès aux réseaux 2G et 3G. Cela ne s’appliquera pas si le téléphone se connecte à la 4G ou 5G. Le réseau commencera à fermer le 31 juillet 2025.
// Article en anglais //
Rogers raising some of its mobile user plan prices by $3-4/month over their Rogers and Fido brands.
https://mobilesyrup.com/2025/03/17/rogers-fido-3-dollar-price-hike-april/
- - -
Rogers augment les prix des forfaits mobiles par 3-4$/mois à travers leurs marques Rogers et Fido.
// Article en anglais //
“They turn your enemies” – Singer Fido Warns Artists About Exploitative Marketing Firms, Alleges Unfair Practices: Fast-rising singer Fido has warned fellow musicians about deceptive marketing companies, accusing them of manipulating artists into believing they owe their success to these firms. Fido’s Warning to Artists In a post on X, Fido stated:👉🏽 “Marketing company go make you feel like na them… https://creebhills.com/2025/03/fido-warns-artists-about-exploitative?utm_source=dlvr.it&utm_medium=mastodon #Fido #MusicIndustry #ArtistRights #MarketingEthics #DeceptiveMarketing
@TechConnectify Thank you so much for this video. I just watched it and it rings *every* bell. Mastodon is the only social network where I'm "active", apart from that I use #RSS feeds that I picked very well. I try to use my own brain.
It was such a pleasure to listen to you, especially in times like these. Thank you once more.
(But I miss good, ancient #FIDO-net, I must admit)
People who use hardware security keys: Storing them in geographically diverse locations is a wise move but makes it impossible to quickly onboard. How do you keep track of where you’ve registered each key? A checklist in a spreadsheet is obvious but cumbersome. Is there a better way? (Yes I use passkeys extensively but for certain services like email, iCloud, and my password manager, a hardware option is desirable if not mandatory.) #YubiKey #YubiKeys #FIDO #FIDO2 #FIDOKey #FIDOKeys #Security
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst