field test results of what a fido security token can do
what a fido2 token can do and
what to expect when doing risk assessments and method statements
Easy said FIDO U2F and FIDO2 are they right way.
Unfortunately the marketing internships just babbled the word they heard: Passkey.
And as usual in sales all the other morons started to call it Passkey, too.
Seldom people noticed that now two things are called passkey.
And that passkeys could exist in devices or physical tokens.
It would have been better if the morons one more time would have refrained from doing their usual pump-it-up-to-uber wordings and would have used the precise wording.
Passkeys describes now two completely different things.
Passkeys now can do both: Country and Western.
FIDO U2F
Fido U2F means universal second factor. This is done with the cheaper fido tokens.
U2F can’t be done in keychains or alike software on the device. It requires a physical token and a connection to the host. Cards, USB and NFC Tokens are common. Note that there is a feature called user presence in the U2F protocol which may require a physical user interaction like touching a button – which must not be present on e.g. cards.
As 2F implies it is meant to be a second factor independent from the host. Simple distinction between hosts is the app of something and the webinterface of something.
The classic sending of one time codes via sms or mail is attack prone by default. That is why we have these totp authenticator apps. They’re fine as long as you have access to that device. But when your device get’s stolen the totps you need to login on some webbrowser are gone, too.
This is, btw, the same technology that is seen in corporations where employees have six digit devices hanging at their leashes^h err lanyards. If you can read out the programmed secret you can use an authenticator app to generate a totp.
Forcing the 2F to be some independent device like a token brings you several advantages. The stolen situation from above can be caught quite easy like this (as long as you know your account password).
You now can use any webbrowser to log into your accounts (like phone provider, cloud, …) with the first factor username/password and a second factor as hardware.
Within minutes you have disabled and or changed all your accounts.
That is what a second factor is for. Authenticate you to the host on unseen hardware.
FIDO2
is something different. Here the first factor username/password is replaced by information stored on physical key. Access to the information is usually protected by pin or biometrics.
This can be replaced by software aka Passkeys. This is possible because the FIDO secrects are of course in the end just some binary bytes. Doing so implies the same stolen problem situation as with 2f above.
However, having the first factor on a card or token that can be passed around does have it’s use cases.
Just don’t forget that on a new device you’ll have to present a second factor unless you turned off 2fa on that account – making it vulnerable again.
But, …, it’s quite safe to use some sms service or mail totp as 2f now. If it’s not written on the token an attacker can’t figure out what the token is for nor what server to attack.
… tbc