Difference between revisions of "FIDO 2.0"
(→Privacy) |
(→References) |
||
| Line 42: | Line 42: | ||
[[Category: Attestation]] | [[Category: Attestation]] | ||
[[Category: Authentication]] | [[Category: Authentication]] | ||
| + | [[Category: Factor]] | ||
Latest revision as of 16:39, 27 April 2024
Contents
Full Title
Fast ID Online or FIDO version 2.0
Context
- All FIDO specs including the most recent version 2.0.
- Replacement for FIDO U2F and FIDO UAF of version 1.0.
- One reason to like FIDO is that there are many different authentication methods that you can do. There are keys like YubiKey and Solokey and there is also Windows Hello where you can just type in a PIN. Quote from Authenticate 2021
Privacy
The FIDO protocols are designed to protect user privacy and do not provide information that can be used by different online services to collaborate and track a user across the services 123. Biometric information, if used, never leaves the user’s device 23. Therefore, it is not possible to track someone with FIDO Fast ID Online.
Problems
Man in the Middle Attack
[1]: https://security.stackexchange.com/questions/206543/how-do-fido-keys-prevent-mitm-reflection-attacks "" [2]: https://www.yubico.com/resources/glossary/man-in-the-middle/ "" [3]: https://link.springer.com/chapter/10.1007/978-3-031-25467-3_5 "" [4]: https://www.yubico.com/blog/creating-unphishable-security-key/ ""
- FIDO keys, which are commonly used for **two-factor authentication**, employ a challenge-response mechanism to enhance security. However, it's essential to understand that FIDO keys primarily protect the integrity of messages **from the authenticator to the server**. Here are some key points regarding FIDO's protection against man-in-the-middle (MitM) attacks:
- Challenge-Response Mechanism**: FIDO keys generate a one-time key using **Diffie-Hellman** or similar techniques. This ensures that each authentication attempt involves a unique challenge and response, making it difficult for an attacker to intercept and reuse the same response.
- TLS Encryption**: While FIDO keys play a crucial role in authentication, they do not handle secure connections directly. Instead, they rely on the underlying transport layer security (TLS) provided by the browser. If the user's connection is not encrypted (i.e., not using TLS), the security provided by FIDO keys is compromised. Therefore, FIDO keys work best when combined with a secure TLS connection.
- Origin Binding**: FIDO keys are bound to the **origin** (i.e., the website domain) where they were registered. This means that even if an attacker intercepts the communication, they cannot reuse the authentication response on a different site. The origin binding prevents MitM attackers from impersonating the user on unrelated domains.
- Token Binding (Optional)**: Some FIDO implementations support **token binding**, which further secures the connection between the browser and the service. Token binding ensures that the authentication token cannot be easily intercepted and reused by an attacker.
- Browser Security Context**: Browsers expose the FIDO API only in **secure contexts** (i.e., over HTTPS). This helps prevent malicious scripts or extensions from accessing the FIDO API and interfering with the authentication process.
In summary, FIDO keys provide robust protection against MitM attacks when used in conjunction with secure TLS connections and proper origin binding. However, users should always ensure that their browser environment is secure and trust the TLS encryption to prevent any potential vulnerabilities¹[1] ²[2].
Source: Conversation with Bing, 4/27/2024
(1) man in the middle - How do FIDO keys prevent MITM reflection attacks .... https://security.stackexchange.com/questions/206543/how-do-fido-keys-prevent-mitm-reflection-attacks. (2) What is a Man-in-the-Middle (MiTM) Attack? | Yubico. https://www.yubico.com/resources/glossary/man-in-the-middle/. (3) Protecting FIDO Extensions Against Man-in-the-Middle Attacks. https://link.springer.com/chapter/10.1007/978-3-031-25467-3_5. (4) Creating the Unphishable Security Key - Yubico. https://www.yubico.com/blog/creating-unphishable-security-key/.
Amusing
Fido ID is a unique identification number assigned to pets to help locate them in case they get lost. It is not designed to track humans, but is does track where that human's pet goes. There are lots of other devices such as GPS trackers that can be used to track humans and pets alike.[1]
References
- ↑ HID Global, RFID FAQ https://www.hidglobal.com/rfid-faq
