Adding phishing proof passwordless authentication with #FIDO2/#WebAuthn and #U2F
A
Ackermann Yuriy
Hey guys. I am Yuriy. An engineer from FIDO Alliance. You probably heard about us. We are the organisation behind U2F protocol that Google reported killed employee phishing: https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing.
Our organisation have developed secure, seamless, phishing proof, passwordless authentication standard called FIDO2. Or some people may call it WebAuthn. WebAuthn is the JS API part in the browsers of the FIDO2, and it is supported by Chrome, Edge and Firefox.
I was happy customer of yours for many years and I felt like you guys so great and innovative, that adding FIDO2 support to your multifactor authentication instead of TOTP would be a great idea, since TOTP is succeptable to phishing.
We have a tutorial https://slides.com/fidoalliance/jan-2018-fido-seminar-webauthn-tutorial
I wrote blog posts on attestation and assertion verification: https://medium.com/@herrjemand/verifying-fido2-responses-4691288c8770
We have a stories a good deployment stories: https://engineering.linecorp.com/en/blog/fido-at-line/
And we have a helpful and friendly community that will be able to help you if you stuck *)
Regards. Yuriy
W
Whitney Jutzin
John Mulhausen
Merged in a post:
FIDO U2F Authentication
Z
Zach Queal
YubiKey released their U2F standard (Universal 2nd Factor) hardware key which allows single touch two factor authentication for products and services.
The current software two factor authentication is really great, however, U2F is far easier and involves a single touch to activate and record. This should be a layered approach giving users with U2F enabled the fallback of 2FA via software token. Google has this implemented already and it's very simple to use.
More Information:
This post was marked as
open