I keep seeing people mixing up terminologies about FIDO. Single step, single factor. Double step. etc. Here are some popular statements: “One thing that I think confused the reviewer was that the key was doing biometric second factor even on sites that were using Fido as a single factor.” …

This is a page that contains links to all our articles on FIDO protocols. Want to help defend Ukraine? Donate to our 501c3 charity, and help us deploying WebAuthn, passkeys, and Yubikeys: Support CyberSecurity of Ukraine Yubico lent technical support and donated 30,000 YubiKeys, to stop hackers from taking over accounts. To date, about…www.ukrainenow.org FIDO Core Introduction to WebAuthn API Demystifying attestation and MDS

It’s a JSON! It looks like MDS2? Nope, that’s MDS3! This is continuation of our series on Webauthn and FIDO2. Recently FIDO Alliance released new version of the metadata specification. And it’s not simple added new fields, and called it day. MDS3 Metadata entirely overhauled schema, deleting old fields, merging…

This is continuation of our series on Webauthn and FIDO2. The fancies of wine are authentic events - Italo Svevo There is no doubt that attestation is a misunderstood and sometimes controversial topic. I’ve been personally present at a few heated discussions, that some might mistaken for an upcoming fight…

Disclaimer: Thoughts expressed here are my own, and not of my employers. Recently Cloudflare released their FIDO based CAPTCHA replacement. You can read more about it https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/, and try it here https://cloudflarechallenge.com/. In the nutshell the way it works: User gets FIDO CAPTCHA page. 2. User clicks “I am human”. …

Please note that this is an advance post, and requires prior understanding of the FIDO2 attestations. You can read more about them here. The apple does not fall far from the Packed… TPM… As the proverb goes, it’s all almost exactly the same as Packed attestation, with the nonce in…

CTAP1 my U2F you FIDO2 CTAP2. If you are confused about all various FIDO terms, you are not alone. Over the years FIDO has expanded from two, to a dozen working groups. Standards started overlapping, having backwards compatibility and everything went terminologically speaking, bonkers. So here is a breakdown: FIDO…

…or Level 1 Credential Management API extension for Public Key Credentials, and the untold stories of managing credentials in the browser… What should I expect from this article? Learn what FIDO2, Passkey, and WebAuthn are, and how to use them to kill passwords. What is not going to be here? Assertion and attestation verification. This is done by the server and so described in…

Please note that this is an advance post, and requires prior understanding of the FIDO2 attestations. You can read more about them here. Security, yeah That’s all I want from you, oh now Security, yeah And a little love that will be true, oh — Otis Redding — Security Android…