https://techcrunch.com/2018/04/10/fido-alliance-and-w3c-have-a-plan-to-kill-the-password/
This looks interesting. By now it’s crystal clear to just about everyone that the password is a weak form of authentication but used a lot. Today, two standards bodies, FIDO and W3C announced a way that looks better, a new password free protocol for the web called WebAuthn. The major browser makers including Google, Mozilla and Microsoft have all agreed to support. The system uses an external authenticator such as a security key or you mobile phone. Unfortunately WebAuthn is not quite ready for final release just yet.
84 Comments
Tomi Engdahl says:
Russell Brandom / The Verge:
FIDO Alliance and W3C announce WebAuthn, a new open standard for password-free logins, currently supported in Firefox, and to be supported in Chrome and Edge
Chrome and Firefox will support a new standard for password-free logins
One small step towards a world without phishing
https://www.theverge.com/2018/4/10/17215406/webauthn-support-chrome-firefox-edge-fido-password-free
Web browsers are building a new way for you to log in, announced today by the W3C and FIDO Alliance standards bodies. Called WebAuthn, the new open standard is currently supported in the latest version of Firefox, and will be supported in upcoming versions of Chrome and Edge slated for release in the next few months.
Today’s announcement the latest step in a years-long effort to move users away from passwords and toward more secure login methods like biometrics and USB tokens. The system is already in place on major services like Google and Facebook, where you can log in using a Yubikey token built to the FIDO standard.
https://www.yubico.com/
Tomi Engdahl says:
Support for FIDO2 Passwordless Authentication Added to Android
https://www.securityweek.com/support-fido2-passwordless-authentication-added-android
Google and FIDO Alliance on Monday announced that it is now easier for developers to provide passwordless authentication features for their Android websites and apps as a result of Android becoming FIDO2 Certified.
The FIDO2 Project comprises the W3C’s Web Authentication (WebAuthn) specification, which provides a standard web API that enables online services to use FIDO authentication, and the Client-to-Authenticator Protocol (CTAP), which enables devices such as FIDO security keys and smartphones to serve as authenticators via WebAuthn.
Now that Android has become FIDO2 Certified, it will be easier for developer to enable users to log into apps and websites using their Android device’s built-in fingerprint sensor and/or FIDO security keys.
The FIDO2 certification has been granted to devices running Android 7 and later. New devices will be certified out of the box, while existing devices will include FIDO2 support after an automated Google Play Services update. Since a Google Play Services update is used to roll out FIDO2 support, users will not have to wait on their device’s manufacturer to benefit from passwordless authentication capabilities.
The use of FIDO authentication, which can be implemented by developers via a simple API call, increases protection against phishing, man-in-the-middle (MitM) and other types of attacks.
Tomi Engdahl says:
MWC 2019: Your future Android phone, apps will need no password
https://www.zdnet.com/article/your-future-android-phone-apps-will-need-no-password/
FIDO2 certification is paving the way for passwordless mobile security.
Tomi Engdahl says:
W3C finalizes Web Authentication (WebAuthn) standard
https://www.zdnet.com/article/w3c-finalizes-web-authentication-webauthn-standard/
WebAuthn is already support on Windows 10, Android, Chrome, Edge, Firefox, and soon on Safari.
Today, the World Wide Web Consortium (W3C), the organization behind all web standards, has formally promoted the Web Authentication API to the title of official web standard.
WebAuthn is what security experts are calling a passwordless authentication system and what they see as the future of user account security.
WebAuthn allows users to register and authenticate on websites or mobile apps using an “authenticator” instead of a password.
Development on the WebAuthn standard started back in November 2015, after the FIDO (Fast IDentity Online) Alliance donated the FIDO 2.0 Web API to the W3C.
The original FIDO 2.0 Web API is already supported by browsers and online services. It’s what currently allows users to use secret tokens stored on YubiKey USB thumb drives (aka hardware security keys) to log into websites such as Google, Facebook, Dropbox, AWS, GitHub, YouTube, and others.
The WebAuthn API is an upgrade of the old FIDO 2.0 Web API and will support a multitude of other authentication systems besides USB-stored security keys –including biometrics.
Tomi Engdahl says:
W3C finalizes Web Authentication (WebAuthn) standard
https://www.zdnet.com/article/w3c-finalizes-web-authentication-webauthn-standard/
WebAuthn is already support on Windows 10, Android, Chrome, Edge, Firefox, and soon on Safari.
Tomi Engdahl says:
You. Shall. Not. Pass… word: Soon, you may be logging into websites using just your phone, face, fingerprint or token
Just don’t lose your hardware keys
https://www.theregister.co.uk/2019/03/05/web_authentication/
At 2004′s RSA Conference, then Microsoft chairman Bill Gates predicted the death of the password because passwords have problems and people are bad at managing them. And fifteen years on, as RSA USA 2019 gets underway in San Francisco this week, we still have passwords.
But the possibility that internet users may be able to log into websites without typing a password or prompting a password management app to fill in the blanks has become a bit more plausible, with the standardization of the Web Authentication specification.
Tomi Engdahl says:
https://www.technotification.com/2019/03/w3c-webauthn-approved.html
Tomi Engdahl says:
Windows Hello Support Added to Firefox 66
https://www.securityweek.com/windows-hello-support-added-firefox-66
Mozilla this week released Firefox 66 with support for Windows Hello for Web Authentication on Windows 10, as well as with patches for 21 vulnerabilities.
The newly added support for Windows Hello should provide users with a passwordless experience on the web, but also with increased security, Mozilla says.
“Firefox users on the Windows Insider Program’s fast ring can use any authentication mechanism supported by Windows for websites via Firefox. That includes face or fingerprint biometrics, and a wide range of external security keys via the CTAP2 protocol from FIDO2, as well as existing deployed CTAP1 FIDO U2F-style security keys,” Mozilla says.
Passwordless Web Authentication Support via Windows Hello
https://blog.mozilla.org/security/2019/03/19/passwordless-web-authentication-support-via-windows-hello/
Tomi Engdahl says:
Stephen Shankland / CNET:
Google updates its login system with support for FIDO2, allowing users to log into its services with hardware security keys on Firefox and Edge
Google’s most secure login system now works on Firefox and Edge, too
https://www.cnet.com/news/google-login-hardware-security-keys-now-work-on-firefox-and-edge-too/
Better hardware security key support means our post-password future is one step closer to reality.
Yubico’s hardware security keys let you log on without a password on sites, apps and devices that support the FIDO2 authentication technology.
But now Google updated its login with the newer, broader standard of FIDO2 and its incarnation for websites, WebAuthn.
Tomi Engdahl says:
Your Android phone can now double as a security key
An extra layer of security never hurt anybody, and now you can turn your phone into a physical security key
https://www.welivesecurity.com/2019/04/16/android-phone-security-key/
Google has announced that any smartphone running Android 7.0 (Nougat) or later can now be used as a hardware security key for two-factor authentication (2FA).
Available in beta at the moment, the new feature is intended to provide an additional authentication factor and keep Google account users safe from phishing scams and other attacks that attempt to steal people’s login credentials. It can be used to protect your personal Google accounts, as well as Google Cloud Accounts at work.
The ultimate account security is now in your pocket
https://www.blog.google/technology/safety-security/your-android-phone-is-a-security-key/
Tomi Engdahl says:
You can now use your Android phone as a 2FA security key for Google accounts
https://venturebeat.com/2019/04/10/you-can-now-use-your-android-phone-as-a-2fa-security-key-for-google-accounts/
Tomi Engdahl says:
Google Cloud Blog:
Android’s “security key” feature, allowing Android 7.0+ devices to be used for 2FA to login to Google accounts, is now generally available
Now generally available: Android phone’s built-in security key
https://cloud.google.com/blog/products/identity-security/now-generally-available-android-phones-built-in-security-key
Phishing—when an attacker tries to trick you into turning over your online credentials—is one of the most common causes of security breaches. At Google Cloud Next ‘19, we enabled you to help your users defend against phishing with a security key built into their Android phone, bringing the benefits of a phishing-resistant two-factor authentication (2FA) to more than a billion users worldwide. This capability is now generally available.
While Google automatically blocks the overwhelming majority of malicious sign-in attempts (even if an attacker has a username or password), 2FA, also known as 2-Step Verification (2SV), considerably improves user security. At the same time, sophisticated attacks can skirt around some 2FA methods to compromise user accounts. We consider security keys based on FIDO standards, including Titan Security Key and Android phone’s built-in security key, to be the strongest, most phishing-resistant methods of 2FA. FIDO leverages public key cryptography to verify a user’s identity and URL of the login page, so that an attacker can’t access users’ accounts even if users are tricked into providing their username and password.
Tomi Engdahl says:
Liam Tung / ZDNet:
Microsoft says it has gained FIDO2 certification for Windows Hello, Windows 10′s biometric authentication system, for the Windows 10 May 2019 update — Microsoft moves 800 million people closer to a no-password world. — Microsoft has passed another milestone on its quest to kill off passwords.
Windows 10 says Hello to no passwords with FIDO2 certification
https://www.zdnet.com/article/windows-10-says-hello-to-no-passwords-with-fido2-certification/
Microsoft moves 800 million people closer to a no-password world.
Microsoft has passed another milestone on its quest to kill off passwords. The company has now gained official FIDO2 certification for Windows Hello, the Windows 10 biometric authentication system.
The certification applies to Windows 10 version 1903, aka the May 2019 Update, which is scheduled to be released to the public in late May and means Windows Hello has been approved as a FIDO2 ‘authenticator’.
Windows Hello offers Windows 10 users access to their devices by using a fingerprint or facial-recognition sensors on the PC as well as PINs.
“No one likes passwords (except hackers),” says Yogesh Mehta, group manager for Microsoft’s crypto, identity and authentication team in Azure Core OS.
Tomi Engdahl says:
Advisory: Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys
https://security.googleblog.com/2019/05/titan-keys-update.html
We’ve become aware of an issue that affects the Bluetooth Low Energy (BLE) version of the Titan Security Key available in the U.S. and are providing users with the immediate steps they need to take to protect themselves and to receive a free replacement key. This bug affects Bluetooth pairing only, so non-Bluetooth security keys are not affected. Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement, since security keys provide the strongest protection against phishing.
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Yubico says it will replace some security keys used by US government and others due to a bug that reduces the randomness of cryptographic keys generated
Yubico to replace vulnerable YubiKey FIPS security keys
https://www.zdnet.com/article/yubico-to-replace-vulnerable-yubikey-fips-security-keys/
Yubico staff discovers bug in YubiKey FIPS Series keys; offers replacements for affected customers.
Affected products include models part of the YubiKey FIPS Series, a line of YubiKey authentication keys certified for use on US government networks (and others) according to the US government’s Federal Information Processing Standards (FIPS).
Boot-up bug temporarily reduces crypto key randomness
Not a big deal, but not something to ignore either
For example:
- an RSA key may be impacted by up to 80 predictable bits out of a minimum of 2048 bits
- for ECDSA signatures, the nonce K becomes significantly biased with up to 80 of the 256 bits being static, resulting in weakened signatures
- for ECC key generation, the key may be impacted by up to 80 predictable bits out of the minimum 256-bit key length
- for ECC encryption,16 bits of the private key becomes known
All in all, the danger of an attacker exploiting this vulnerability is low, because of the complex requirements for intercepting the authentication operations and then breaking the rest of the cryptographic key.
Tomi Engdahl says:
Somu is a tiny FIDO2 security key for two-factor authentication.
Finally, an Open Source Nano Security Key
https://blog.hackster.io/finally-an-open-source-nano-security-key-a8acb44ceca0
Hardware security keys have been around for a while now. These devices work in conjunction with a password to enable two-factor authentication on websites like Google, Twitter, and GitHub — allowing for a more secure login process. But most popular security keys, like the Yubikey, are closed sourced
now with the introduction of Somu, an open sourced alternative, tinkers are free to run wild
The secret behind the Somu security key is — there are no secrets. SoloKeys, the company behind Somu, has released all of their software and hardware files for their devices to the open source community on GitHub.
The Somu has a completely reprogrammable STM32L4 on it, as well as an RGB LED and two buttons.
https://github.com/solokeys/solo
Tomi Engdahl says:
Does anyone trust Google on the security of this completely sealed USB-C security device? It seems to me that this would be a great way to pass a backdoor to… parties… that would like backdoor access to your security. Thoughts?
Google launches USB-C Titan security key
https://www.techradar.com/uk/news/google-launches-usb-c-titan-security-key
New USB-C security key will be available on Google’s store for $40
Tomi Engdahl says:
OpenSK is Google’s open source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
Say “Hello” to OpenSK
An open sourced key implementation from Google.
https://www.hackster.io/news/say-hello-to-opensk-2ede5129299c
If a website or service offers it, you should should definitely be using two-factor authentication (2FA) to log on. Most of the major sites these days, like Google, Twitter, Facebook, and Apple’s iCloud provide some form of 2FA.
recently, there have been a number of open source efforts to build keys, like the Somu and Solo keys.
Announced earlier today by Google, OpenSK joins these open source offerings. However unlike the projects we’ve seen to date, OpenSK is source code only. A FIDO2 authenticator implementation written in Rust as a Tock OS application, that supports both FIDO U2F and FIDO2 standards. OpenSK has been tested on the Nordic nRF52840 Dongle, but should be easily ported to other hardware.
Say hello to OpenSK: a fully open-source security key implementation
https://security.googleblog.com/2020/01/say-hello-to-opensk-fully-open-source.html?m=1
By opening up OpenSK as a research platform, our hope is that it will be used by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption.
With this early release of OpenSK, you can make your own developer key by flashing the OpenSK firmware on a Nordic chip dongle. In addition to being affordable, we chose Nordic as initial reference hardware because it supports all major transport protocols mentioned by FIDO2: NFC, Bluetooth Low Energy, USB, and a dedicated hardware crypto core. To protect and carry your key, we are also providing a custom, 3D-printable case that works on a variety of printers.
Tomi Engdahl says:
Make your own hardware security key by flashing Google’s new OpenSK firmware on a Nordic Semiconductor ASA nRF52840 Dongle.
Say “Hello” to OpenSK
An open sourced key implementation from Google.
https://www.hackster.io/news/say-hello-to-opensk-2ede5129299c
If a website or service offers it, you should should definitely be using two-factor authentication (2FA) to log on. Most of the major sites these days, like Google, Twitter, Facebook, and Apple’s iCloud provide some form of 2FA.
the second method range from a temporary code sent to your phone via SMS, or using an authenticator app that generates a time-based one-time password (TOTP). However there is a less common, but generally more secure method, and that is using a hardware key.
For myself, I use Yubikey
But recently, there have been a number of open source efforts to build keys, like the Somu and Solo keys
OpenSK joins these open source offerings. However unlike the projects we’ve seen to date, OpenSK is source code only. A FIDO2 authenticator implementation written in Rust as a Tock OS application, that supports both FIDO U2F and FIDO2 standards. OpenSK has been tested on the Nordic nRF52840 Dongle, but should be easily ported to other hardware.
Today’s release is an interesting move by Google. Their authenticator app is also, at least partially, also open source although the open source code has diverged from the version Google publishes to the App Stores.
Tomi Engdahl says:
Yubico is making it easier for businesses to buy its YubiKeys
https://www.engadget.com/2020/02/04/yubico-business-yubikey-enterprise-security-key/
A growing number of companies are looking at hardware authentication security keys as a trusted and convenient way to protect sensitive corporate data. Indeed, Google has recently launched an open source project to help advance the uptake of this technology. But for companies with hundreds of employees, ensuring the right people have the right keys can be a huge logistical undertaking and added expense. As such, security key maker Yubico has launched an enterprise service to help businesses integrate the tech into their operations more easily.
Tomi Engdahl says:
Safely Navigate the Web with URU Key, a FIDO2 Authenticator
https://www.hackster.io/news/safely-navigate-the-web-with-uru-key-a-fido2-authenticator-3fc6095b86fb
URU Key is a small, custom FIDO2 authenticator that uses a fingerprint scanner to authenticate yourself on WebAuthN-enabled websites.
. A standard called FIDO2 WebAuthN allows users to login to their accounts online using their biometrics, mobile devices, or FIDO security keys — and with much higher security over passwords alone. Andrey Ovcharov, a hobbyist electrical engineer, is working on implementing a custom FIDO2 Authenticator with his hardware project URU Key.
URU Key – an ESP32 FIDO2 Authenticator
https://en.ovcharov.me/2020/02/02/uru-key-esp32-fido2-authenticator/
Tomi Engdahl says:
OpenSSH adds support for FIDO/U2F security keys
OpenSSH 8.2 adds support for authentication via FIDO/U2F protocols, most commonly used with hardware security keys.
https://www.zdnet.com/article/openssh-adds-support-for-fidou2f-security-keys/
Tomi Engdahl says:
Apple joins FIDO Alliance, commits to getting rid of passwords
https://www.zdnet.com/article/apple-joins-fido-alliance-commits-to-getting-rid-of-passwords/
Tomi Engdahl says:
OpenSSH now supports FIDO U2F security keys for 2-factor
authentication
https://thehackernews.com/2020/02/openssh-fido-security-keys.html
You can now use a physical security key as hardware-based two-factor
authentication to securely log into a remote system via SSH protocol.
Tomi Engdahl says:
https://www.securityweek.com/google-brings-titan-security-keys-more-countries
Tomi Engdahl says:
Password killer FIDO2 comes bounding into Azure Active Directory
hybrid environments
https://www.theregister.co.uk/2020/02/25/fido2_azure_ad_hybrid/
Tomi Engdahl says:
Safely Navigate the Web with URU Key, a FIDO2 Authenticator
URU Key is a small, custom FIDO2 Authenticator that uses a fingerprint scanner to authenticate yourself on WebAuthN-enabled websites.
https://www.hackster.io/news/safely-navigate-the-web-with-uru-key-a-fido2-authenticator-3fc6095b86fb
Tomi Engdahl says:
Best security keys in 2020: Hardware-based two-factor authentication
for online protection
https://www.zdnet.com/article/best-security-keys/
Being sensible when it comes to passwords is important, and a crucial
step to securing your online life. However, some of your online
accounts — for example, your Google Account or Dropbox — might be so
important and contain such a wealth of information that you might want
to take additional steps to protect it.
Tomi Engdahl says:
https://hackaday.com/2020/02/21/this-week-in-security-dnssec-temporarily-lost-their-keys-fido-and-one-weird-windows-trick/
Tomi Engdahl says:
https://www.theverge.com/2019/2/22/18235173/the-best-hardware-security-keys-yubico-titan-key-u2f
Tomi Engdahl says:
https://solokeys.com/
https://www.dustinhome.fi/product/5010932411/yubikey-security-key-u2f-fido2?ssel=true&priceinclusivevat=1&LGWCODE=5010932411;135749;5443&gclid=EAIaIQobChMIzP2onMLj5wIV0qiaCh3K-QOgEAQYASABEgLaNPD_BwE
Tomi Engdahl says:
https://www.yubico.com/authentication-standards/fido2/
Tomi Engdahl says:
Get Me out of Password Hell
https://www.eetimes.com/get-me-out-of-password-hell/
Back in 2013 there were articles about how many people used 1234 as a password. A Vice article from 2017 said that had changed: 3% of people then used 123456. A bunch even used “Password” as a password. Yeesh.
It’s still a problem today. A recent study from Clario, a company launching a digital security and privacy app this month, said more than three-quarters of millennials use the same password for more than 10 different devices, apps, and accounts; some have even admitted to using the same password more than 50 different places.
I’m amused on crime shows when a sleuth successfully guesses the subject’s password when breaking into a laptop. It’s always something like a pet’s name or a birthday. One show said the whole family shared a password.
But I’m not a password-denier. I know I need ‘em … and strong ones, too. So now I’m looking into options beyond my handwritten passwords and secret files.
I know people who use the free version of LastPass as a password manager. It sounds great to have one master account password that’s able to store and fill in all the passwords I use, but I start to twitch when I think of giving over my sacred codes to anything more sensitive than The Atlantic. My checking account? I don’t think so. Then there’s the manual labor involved: looking up the passwords, trying to decipher my secret coding schemes and then typing them all in one by one.
FIDO coming to rescue?
I was heartened recently when I read about FIDO (Fast IDentity Online ) Alliance, an open industry association with the mission to unite consumers and service providers around an authentication standard and “remedy the problems users face with creating and remembering multiple usernames and passwords.” Bingo!
The alliance announced in May a new website to educate consumers and service providers on the benefits of what FIDO calls “simpler, stronger user authentication.” The alliance’s inaugural conference, Authenticate, was due to take place this week in Seattle. Alas, like nearly every trade event scheduled since MWC 2020 in February, it was shelved, now planned for Nov. 11-12.
Each device/website pairing with FIDO requires separate registration and a separate cryptographic key pair. Once registered, a user can authenticate to multiple sites from the same device, but each site has no knowledge of the user interactions with other sites. The client’s private keys can be used only after they are unlocked locally on the phone by the user, using a secure, “user-friendly” action such as swiping a finger, entering a PIN, speaking into a mic, using two-factor authentication or pressing a button.
Tomi Engdahl says:
TurtleAuth: Let’s Make a DIY GPG USB Key
Made my own GPG USB key instead of buying one.
https://www.hackster.io/TheStaticTurtle/turtleauth-let-s-make-a-diy-gpg-usb-key-ae18ed
Tomi Engdahl says:
Best security keys in 2020: Hardware-based two-factor authentication for online protection
https://www.zdnet.com/article/best-security-keys/
While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.
Best password managers for business in 2020: 1Password, Keeper, LastPass, and more
https://www.zdnet.com/article/best-password-managers/
Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.
Tomi Engdahl says:
A 2mm-thin ESP32-based Bluetooth authenticator with built-in keypad and OLED display.
URU Card Brings FIDO2 Authentication to Your Wallet
https://www.hackster.io/news/uru-card-brings-fido2-authentication-to-your-wallet-34c5a3a4523c
A 2mm-thin ESP32-based Bluetooth authenticator with built-in keypad and OLED display
Self-proclaimed “hobbyist hardware enthusiast” Andrey Ovcharov wanted a Bluetooth FIDO2 authenticator, so he did what any self-respecting hacker would do: grabbed an ESP32 dev board and created a prototype. As he continued to iterate on the design, he added an ATECC508A secure element, and eventually a FPC1020AP capacitive fingerprint scanner.
So Ovcharov reimagined the device as credit-card sized PCB! Replacing the fingerprint scanner with a simple capacitive touch keyboard
As we go to press, Ovcharov has implemented the BLE server and FIDO2 endpoints, but it is not yet fully functional. The PCB design is available for interested potential contributors, although anyone can reproduce the project using an ESP32 DevKit and the required parts.
https://github.com/uru-card/uru-card-pcb
Tomi Engdahl says:
https://hackaday.com/2020/07/23/hands-on-wireless-login-with-the-new-mooltipass-mini-ble-secure-password-keeper/
Tomi Engdahl says:
PIN Bypass in Passwordless WebAuthn on microsoft.com and Nextcloud
https://hwsecurity.dev/2020/08/webauthn-pin-bypass/
Tomi Engdahl says:
DiceKeys Aim to Bring Some Physical Entropy and Security to Open Source Two-Factor Authentication
A modern twist on the diceware concept, DiceKeys and SoloKeys could be the solution to an age-old problem of secure entropy.
https://www.hackster.io/news/dicekeys-aim-to-bring-some-physical-entropy-and-security-to-open-source-two-factor-authentication-1eed58eab716
Tomi Engdahl says:
Best security keys in 2020: Hardware-based two-factor authentication for online protection
https://www.zdnet.com/article/best-security-keys/
While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.
Tomi Engdahl says:
New YubiKey 5C NFC Security Key Brings NFC, USB-C Connections
https://www.securityweek.com/new-yubikey-5c-nfc-security-key-brings-nfc-usb-c-connections
Yubico on Wednesday announced the release of YubiKey 5C NFC, the latest YubiKey 5 series security key, which allows users to authenticate through either near-field communication (NFC) or USB-C.
Yubico has been offering hardware-based authentication solutions with both NFC and USB-C, but this is the first device that combines both — the company says this is one of its “most sought-after security keys.”
The YubiKey 5C NFC can be used to authenticate on many email, IAM, VPN, social media, collaboration, and password management services accessed through smartphones, laptops and desktop computers running Windows, macOS, Linux, Android or iOS.
The list of supported authentication protocols includes FIDO2 (WebAuthn), FIDO U2F, PIV, OATH-HOTP and OATH-TOTP, OpenPGP, YubiOTP, and challenge-response.
The YubiKey 5C NFC, sold for $55, is protected against physical damage by a fiberglass-reinforced body and military-grade hardened gold. It’s also advertised as water- and crush-resistant.
https://www.yubico.com/product/yubikey-5c-nfc
Tomi Engdahl says:
https://techcrunch.com/2020/09/09/yubico-reveals-new-yubikey/
Tomi Engdahl says:
YubiKey 5C NFC: The USB security key that everyone’s been waiting for
Yubico releases the world’s first security key to feature dual USB-C and NFC connections and support for multiple authentication protocols.
https://www.zdnet.com/article/the-usb-security-key-that-everyone-has-been-wanting/
Tomi Engdahl says:
This is good news for the FIDO2 ecosystem
https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/
Tomi Engdahl says:
Solo, the First Open Source FIDO2 Security Key, Is Back with a More Robust, Rust-Powered Upgrade
https://www.hackster.io/news/solo-the-first-open-source-fido2-security-key-is-back-with-a-more-robust-rust-powered-upgrade-4121931d655e
Rewritten in Rust and boasting better electronics, including a tenfold boost in NFC performance, Solo V2 could be the ultimate security key.
Tomi Engdahl says:
Open Authenticator
An Open Source TOTP based hardware authenticator using ESP32.
https://hackaday.io/project/176959-open-authenticator
Tomi Engdahl says:
Picoth Is a Raspberry Pi Pico-Based 2FA Gadget
https://www.hackster.io/news/picoth-is-a-raspberry-pi-pico-based-2fa-gadget-9d6dc81a8043
Angainor’s two-factor authentication hardware uses the new Raspberry Pi board alongside a Pimoroni RGB Keypad and Display Pack.
Tomi Engdahl says:
SoloKeys Solo V2: Open source two-factor authentication security keys
https://www.zdnet.com/article/solokeys-solo-v2-open-source-two-factor-authentication-security-keys/
The Solo V2 brings improved NFC, water resistant, updatable firmware, and a reversible USB connector.
Tomi Engdahl says:
YAST Is a Security Development Platform for Smart Card-Like Applications
Michael Grand has designed a security token around NXP’s LPC55Sxx chip and SE050 secure element.
https://www.hackster.io/news/yast-is-a-security-development-platform-for-smart-card-like-applications-3b700b2abb8a
Tomi Engdahl says:
YubiKey for SSH on Windows: Complete Walkthrough
https://worklifenotes.com/2019/07/05/yubikey-for-ssh-on-windows-complete-walkthrough/