Fido2 is two factor authentication. Something you have (the Authenticator) and something you are (eg. the biometric fingerprint). I don't know why all "experts" claim that Fido2 is one factor authentication only...
@dotnetsheff At 30:00 you explain the example of the private key being encrypted and send to RP and later back to be unwrapped by the burnt-in key of the authenticator. This for the purpose of second factor authentication. Why not let the authenticator generate a random string/nonce/challenge and wrap that up? And later on decrypt it with the burnt-in key of the authenticator? This is a simple thought that probably overlooks something. But enlighten me please. Thanks for the excellent explanation by the way. By far the most and complete video out there about passwordless and the concept and details behind.
Thank you for this wonderful informative session on FIDO2. Can you please help me with my query that I'm trying to find an answer to: How to verify the attestation trust even after receiving a encrypted private key back in response, when we use FIDO2 key?
This is great and all, but what security wonks don't seem to grok is that when I'm building a business solution (web site, mobile app, etc.) what I want is _HOW_DO_I_IMPLEMENT_THIS_? I don't care that much about the underlying tech. I trust that people who love crypto and security stuff will have poured over it, and it works as it should. My focus is on USING IT. Don't bury the lead -- show me a "hello world" version of it being used, and THEN tell me all this detail (if I care about it). There's a reason "hello world" is a standard programming pattern -- it breadcrumbs you in to using something.
it is a genuine work of art made FIDO2 cybersecurity THANKS for the explanation 🤓
Thank you for the explanation of the signature.
Fido2 is two factor authentication. Something you have (the Authenticator) and something you are (eg. the biometric fingerprint). I don't know why all "experts" claim that Fido2 is one factor authentication only...
@dotnetsheff
At 30:00 you explain the example of the private key being encrypted and send to RP and later back to be unwrapped by the burnt-in key of the authenticator. This for the purpose of second factor authentication.
Why not let the authenticator generate a random string/nonce/challenge and wrap that up? And later on decrypt it with the burnt-in key of the authenticator? This is a simple thought that probably overlooks something. But enlighten me please.
Thanks for the excellent explanation by the way. By far the most and complete video out there about passwordless and the concept and details behind.
Thank you for this wonderful informative session on FIDO2.
Can you please help me with my query that I'm trying to find an answer to:
How to verify the attestation trust even after receiving a encrypted private key back in response, when we use FIDO2 key?
Do I need to set password not to expire on AD users account if we are using FIDO key login to Windows computer with Azure AD? please advise.
Algorithm.
This is great and all, but what security wonks don't seem to grok is that when I'm building a business solution (web site, mobile app, etc.) what I want is _HOW_DO_I_IMPLEMENT_THIS_? I don't care that much about the underlying tech. I trust that people who love crypto and security stuff will have poured over it, and it works as it should. My focus is on USING IT. Don't bury the lead -- show me a "hello world" version of it being used, and THEN tell me all this detail (if I care about it). There's a reason "hello world" is a standard programming pattern -- it breadcrumbs you in to using something.