SMS to recover is a major liability.Īn example of how NOT to do things on a popular website is Coinbase, which allows one FIDO device and only allows SMS as a recovery mechanism. One time passwords to recover are also nice. If you're going to do Webauthn, please allow users to add multiple instances, much like how Microsoft allows you to have multiple browsers, hardware keys, etc. I use LastPass on my phone (Chrome), Macbook Pro (Chrome, Firefox, Safari), and Windows machine (Firefox). secure enclave, etc.) Ideally I'd like to be able to configure Webauthn to work from *multiple* browsers on *multiple* computers. Numerous browsers now support Webauthn on phones and computers where the environment has been deemed secure (i.e. Thankfully that is not required for LastPass currently. Webauthn with SMS recovery is basically a huge security risk at this point. WebAuthn was designed to be interoperable with CTAP1 Authenticators, and U2F credentials can still be used, as long as no FIDO2-only functionality is required by the relying party. I now view SMS messages as an account recovery option as a liability since it has been shown recently how easy it is to hijack a phone number (Google search for recent accounts of this). U2F is the FIDO Alliance’s universal second factor specification and there are a lot of authenticators that speak CTAP1 and manage U2F credentials. In addition to the security concerns already mentioned, I'll bring up another few points.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |