Our great sponsors
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
OpenSK
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
-
WebKit
Home of the WebKit project, the browser engine used by Safari, Mail, App Store and many other applications on macOS, iOS and Linux.
-
-
I've considered adding FIDO2 support to the software-only U2F token I wrote ( https://github.com/danstiner/rust-u2f). It's a fair bit of work though, and I am not sure how comfortable I am with passwordless login unless the keys are kept purely in hardware such as a TPM.
That said, my reading of this post is that FIDO2 support will get built into Chromium directly, which is itself open source. Or if you do want a hardware key but running open software, I'd definitely recommend https://solokeys.com/, I've been following them for a long time.
Also there was some related discussion on this same article last week: https://news.ycombinator.com/item?id=31274677
I've considered adding FIDO2 support to the software-only U2F token I wrote ( https://github.com/danstiner/rust-u2f). It's a fair bit of work though, and I am not sure how comfortable I am with passwordless login unless the keys are kept purely in hardware such as a TPM.
That said, my reading of this post is that FIDO2 support will get built into Chromium directly, which is itself open source. Or if you do want a hardware key but running open software, I'd definitely recommend https://solokeys.com/, I've been following them for a long time.
Also there was some related discussion on this same article last week: https://news.ycombinator.com/item?id=31274677
Cloudflare does, using a security key not found in the FIDO Metadata Service will unfortunately not work. This precludes the use of any hacker-friendly solution (making your own).
> Supported: All security keys found in the FIDO Metadata Service 3.0, unless they have been revoked for security reasons.
https://support.cloudflare.com/hc/en-us/articles/44068890480...
Attestation keys, as they're currently used, aren't very "privacy friendly" and it's much worse for those who wish to create their own key.
> Usually, the attestation private key is shared between a batch of at least 100,000 security keys of the same model. If you build your own OpenSK, your private key is unique to you. This makes you identifiable across registrations: Two websites could collaborate to track if registrations were attested with the same key material. If you use OpenSK beyond experimentation, please consider carefully if you want to take this privacy risk.
https://github.com/google/OpenSK/blob/f2496a8e6d71a4e8388849...
> The whitelist can be seen in Webkit's source when searching
It was removed in December 2021: https://github.com/WebKit/WebKit/commit/0dc4de89f6b03870787c...
--- start quote ---
This patch loosens the user gesture requirement around using WebAuthn with respect to user gestures by removing the Quirks.h allowlist of sites that get a freebie.
Instead the new behavior is all sites get one freebie, then on subsequent attempts they show a non-modal consent dialog.
--- end quote ---
> There are better examples how to avoid users getting spammed with any requests, browsers have a long history of dealing with that kind of abuse much better.
They really don't have much better solutions than requiring user interaction. Even Media Engagement Index that you mentioned is used by Chrome only on desktop and by calculating user interaction.
Now that there's less eyeballs on this. Here's our open source JWT alternative:
https://github.com/Cyphrme/Coze. We've got a roadmap in using that to build alternatives to FIDO. Please feel free to message me with questions or anything else and I will detail our plans.
Before competing against FIDO, the libraries need to be far more ergonomic. Coze is a good start.
Hello, it's me again.
We just made public the java script implementation of Coze.
https://github.com/Cyphrme/cozejs.