Conversation

Jarkko Sakkinen

Most #site’s ask #password + #FIDO2 but others satisfy with only FIDO2.

E.g. #Google #account opens up without password, if the #YubiKey is plugged in.

I’m just wondering why this difference exists…

2
0
1

@jarkko Confusingly, the YubiKey has multiple capabilities that have the same function, and it's difficult to know what you're key is using at any one moment.

I think in this case, it is a difference in U2F and FIDO2. FIDO2 has a higher standard for authenticating and it is used in passwordless authentication.

The user's flow is also completely dependent on how the website implements their authentication service. They could require a password even if they use FIDO2.

1
0
0
@Zoarial94 Yea, so is the difference that the other sites use U2F and Google uses FIDO2? I have to admit that I did not know that they are different thing so this cleared some details (i.e. according to Internet U2F is second factor authentication whatever that means).
1
0
1

@jarkko Is this true even if coming from a completely different system for the first time?

0
0
0

@jarkko There aren't many sites that use FIDO2 keys yet. These are also called resident keys and they are stored in the YubiKey. You can use the yubico manager to remove these keys/accounts since you have a limited number.

The idea behind 2 factor, is that is harder to impersonate someone with each factor. The factors are typically what you know (password), what you are (biometrics), and what you have (hardware key [yubikey]).

FIDO2 has 2fa built in since you have to physically touch the key (1st factor), and you need to enter a pin (2nd factor). The pin takes the place of your regular password.

Apple and Google are rolling out passkeys which uses the FIDO2 interface. They work because you need to have your phone (1st factor), and you need to pass biometrics (2nd factor).

1
0
1
@Zoarial94 Thanks for the great explanation of this topic! Appreciate this.
1
0
1

@jarkko You're welcome! I remember struggling a lot to straighten all of this out after getting my first yubikey. It doesn't help that names of protocols change or are ambiguous, and some documentation assumes you have some existing knowledge.

0
0
1