I login maybe once a year on my domain registrar's website (Gandi). Something has changed in both Firefox/Chromium since last time, because neither of them accepted any of my Yubikeys anymore: it prompted for a PIN, and I don't remember setting one! (I set one on the OpenPGP application, but that PIN is not accepted for FIDO2).

Temporarily disabling FIDO2 allowed the login to succeed as documented here: https://support.yubico.com/s/article/Understanding-YubiKey-PINs https://support.yubico.com/s/article/Enabling-or-disabling-applications
Note that this does *not* reset FIDO2 (Which IIUC would delete the FIDO U2F key too).
In that case IIUC it uses FIDO U2F instead of FIDO2 with a PIN. Although this seems like a bug, why doesn't the browser offer me the option of using U2F when I reject providing a FIDO2 PIN? Clearly all this worked fine several years ago when I initially registered the Yubikeys.
#FIDO2 #Yubikey #U2F

Some time ago I mentioned Yubikey migration. Unfortunately in work I have to deal with #Microsoft and #Google services. Besides confusing #authentication settings UI I noticed interesting thing - both services in own way mixed #U2F and #passkeys in settings. It basically wasn't possible to know what I was going to set. Even terms used on popups were different in different process stages.

Later I could check it was saved on Yubikey as passkeys and it was probably the only way to be sure.

Now I wonder, why these settings were so mixed. Did they do it purposely? Just their "normal" UI/UX chaos?
Anyone who uses more mainstream, passkey-supporting services saw something similar? I didn't saw any other passkeys "in the wild" to compare.

Does #KDE not support #u2f in Polkit prompts?

That nerdy urge to configure pam-u2f on work computer :blobCat_devil:

#nerd #u2f #yubikey

Actually, you just significantly reduced my security, Gandi. You should have let the users manage this transition, or at least warn them ahead of time what was going to happen if they didn't.

Replacing unphishable auth (old school U2F is still quite functional!) with phishable auth (email) without user consent is not acceptable.

#Gandi #SecurityKeys #U2F

Wow! I've just discovered that it's possible to use Secure Element as #u2f in GrapheneOS via hw-fido2-provider [1] (btw, thank you @S1m) in Vanadium even without any external token. Successfully added my Pixel smartphone as second factor device to my addy.io account. It works finally!

1. https://codeberg.org/s1m/hw-fido2-provider

#GrapheneOS #vanadium #vanadiumbrowser #fido2 #u2f #addyio #AnonAddy

had a nice (but crowded) time at the anarchist book fair workshops today, specifically the one about not owning a phone! lots of great convos, philosophies, and modes of existence without cell phone!

lots of interest about, and shoutouts for @cwtch, @delta, and @briar -- e2ee (group) messengers that dont require a phone number (as a replacement for @signalapp)

lots of interest in #U2F, #FIDO2 hardware #2FA devices (as a replacement for SMS or push). i also recommend @keepassxc for keeping TOTP tokens!

really appreciated hearing all the side conversations about @tails, @Mastodon, and other decentralized tech

they are already planning the next one in 2026! anarchistbookfairamsterdam.org @AFA

#anarchistbookfairamsterdam #amsterdam #anarchism #bookfair #anarchistbookfair #activism #netherlands #antifascism

Ważna informacja dla użytkowników kluczy U2F na X (Twitterze) [poradnik]

X (Twitter) ogłosił, że 10 listopada całkowicie przestanie używać starej domeny twitter[.]com. O ile znaczna większość funkcjonalności platformy została bezproblemowo przeniesiona na x[.]com, o tyle jedna – dość istotna – nie daje takiej możliwości. TLDR: Mowa o sprzętowych kluczach U2F (choć precyzyjnie mówiąc, chodzi o urządzenia w standardzie FIDO2), które...

#WBiegu #2Fa #Awareness #Klucze #Twitter #U2f #X

https://sekurak.pl/wazna-informacja-dla-uzytkownikow-kluczy-u2f-na-x-twitterze-poradnik/

The solution that worked:
"security.pam.services.doas = {
u2fAuth = true;
}"
Adding this into your configuration file will ensure that doas uses u2f authentication... I'm dumb :neocat_cry_loud:

#NixOS #linux #LinuxTechTips #U2F #security #yubikey

#doas doesn't seem to support #U2F on #NixOS it's weird and should work but doesn't as /etc/pam.d/doas doesn't contain pam_u2f.so and /etc/pam.d/sudo does contain it..

FYI: I have added "security.pam.services.sudo.u2fAuth = true;" to config and as I see there is no same option for doas and I also tried other hacky ways with no hope.

Passwords are on the way out. Discover how U2F security keys are stopping phishing attacks and winning over tech giants. Could this be the future of online safety?

https://thedefendopsdiaries.com/universal-2nd-factor-u2f-a-new-era-in-online-security/

#u2f
#onlinesecurity
#cybersecurity
#phishingprotection
#authentication

Эволюция одноразовых кодов: от TAN к Passkeys

От TAN-листов и SMS-кодов до Passkeys и FIDO2 — за 20 лет одноразовые коды прошли путь от бумажек до криптографии. Почему TOTP стал стандартом? Чем push-уведомления лучше? И правда ли, что будущее — без паролей? В статье — краткий и наглядный разбор всей эволюции OTP: алгоритмы, уязвимости, UX и рекомендации для современных систем.

https://habr.com/ru/articles/906750/

#totp #passkeys #fido2 #u2f #2fa #pushуведомления

I am making a dirt cheap @yubico Security Key alternative - a #passkey with #FIDO / #U2F / #FIDO2 / #WebAuthn support using $5 Waveshare #RP2350-One and open source Pico Keys: https://picokeys.com

Imagine waking up to find your email, social media, or crypto account hacked. Your money, crypto and private data - gone in seconds.

Sounds like a nightmare? The good news is, there’s an easy way to stop this from ever happening. A simple USB security key makes your accounts unhackable - even if your passwords get leaked.

We explain how it works here: https://auriccrypto.com/articles/guides/the-ultimate-way-to-protect-your-online-accounts-from-hackers/

#Cybersecurity #Crypto #Hacking #Security #U2F #Passwords #ScamAware

I am looking to buy a set of hardware security keys. The #yubikey seems to be the most common and best documented, but the lack of open source and upgradable firmware puts me off. #nitrokey seems like a better option in this regard, but the design is not as nice. I would also very much like a key that combines both USB-A and C. I have now found the #token2 [PIN+ Dual Release3](https://www.token2.com/shop/product/pin-dual-release3-fido2-1-key-with-openpgp-and-otp-and-dual-usb-ports) which fulfills this, but the company is completely unknown to me, and I haven't found much discussion of their products online, which makes me a bit reluctant. They are, however, a member of the FIDO alliance, which is reassuring. The Linux support for their tools also seem to be second-grade. Does anyone have any experience with them?
I intend to use the key for FIDO U2F/FIDO2 authentication, as well as TOTP for the services that do not yet support FIDO. I also want to use it for storing my PGP and SSH private keys.
#U2F #FIDO #FIDO2 #TOTP #hardwaresecuritykey #cybersecurity

I was locked out of my work machine earlier, but it was due to an update of the Yubikey PAM U2F bindings. In case others have the same problem:

https://mwop.net/blog/2025-01-15-pam-yubikey-1.3.1-fix.html

Frankly, this was a horrible rollout of a security fix, as there's no obvious remediation, and many folks may not have the ability to boot with a rescue drive to workaround the issue.

#yubikey #u2f

So, it has been like three months using FIDO/U2F keys instead of passwords. Both in my NetBSD and Arch systems.

I use a "medium" quality password to decrypt the filesystems and other one to decrypt the password manager. And that's it.

No password to log-in, to unlock screen, to run doas/sudo, etc. Just this little penguin and press its button.

Also, I'm using this as 2FA for all websites that support it. Lemmy doesn't. It's the only place where I don't use it, yet.

Because U2F uses the domain name, this is a strong protection against phishing. A similar domain may trick my eyes, but not the key.

I'm very bad at memorizing passwords, and worse at typing them. Unlocking the screen without typing my password like 3 times is a bless.

The problems: if my laptop is decrypted anybody with this penguin is root. It's kinda my Horcrux. Also, I need a second one stored safely as a backup.

So I officially have two horcruxes. Destroy both and I can't log-in anywhere.

#fido #u2f #infosec #NetBSD #arch #keepass #password #horcrux

@aleidk I use the keys for stuff like GitHub, my Fediverse account and a Google account. The important stuff, like banking, access to the ISP and mobile phone provider account don't support them, so: nice, but.

Actually, the expensive #YubiKey Series 5 can also store #OATH #TOTP seeds, which can be useful for a bunch of other accounts: mobile phone brand, Amazon and many more. Note that #TOTP is not #FIDO2 nor #U2F.

Do you use your Flipper Zero as a second factor?

The Flipper Zero can be used as an U2F device (like a Yubikey) to provide a second factor for various online services (e.g. Google, Github). I might want to look into it, and you can help me determining how many people are using it.

#FlipperZero #u2f #webauthn #Passkey

For the last few months, I had a strange issue with my Fedora 40 installation which was driving me mad.

When I had the computer running for some time, I couldn't use more than one browser, because the other couldn't even start or couldn't load websites. It was happening with Firefox and any other chromium based browser. It was unpredictable and nothing conclusive was visible in the logs and strace just showed it was waiting for something I had a hard time identifying.

Then I installed Fedora 41 on a laptop and it started to happen immediately there - not just after some time, immediately!

I took the laptop out from USB-C display to look at it in another room and it stopped.

Then I vaguely remembered I put an U2F key to my screen's usb hub for convenience of use and the issues started some time after that.

Yep. It was the key. When it's connected through the USB hub in my screen, the browsers somehow "battle" for it 🤦‍♀️ It's a normal USB-A U2F key by IDEM. Never heard about such issues, and the key is working normally when connected to the computer directly.

#JustLinuxFun #Linux #U2F #FIDO #Chromium #Firefox #usb