undefined | Better HN

0 pointskerblang2y ago0 comments

Do all these 2FA apps - like say Microsoft Authenticator - have these hidden/not-so-hidden private keys? From other posts it sounds like you can view the token and write it down... MA doesn't have that, I don't think.

0 comments

e12e2y ago

TOTP (Time-based one-time password) need a shared secret (and two synchronized clocks) to work, so yes.

FIDO2/WebAuthn relies on public key technology - so does also have a secret key - but is designed to be kept secret from the service/server one authenticates against.

For use - FIDO2 is more like a multi-use id. Like a driver's license many services accept as id. If you lose it - you don't restore a backup copy from a safe - you use your passport until you get a new one issued.

This makes more sense than with TOTP as the services only need your public key(id) on file.

https://en.wikipedia.org/wiki/Time-based_One-time_Password

https://en.m.wikipedia.org/wiki/WebAuthn

rawgabbit2y ago

Which FIDO2 service do you recommend?

I get tired reading all these security articles. The more I read, the more I feel they are hiding something.

e12e2y ago

> Which FIDO2 service do you recommend?

Generally what comes with your phone and one or two hw tokens for backup? Looks like token2.com is a reasonable choice if you just want NFC/USBc and FIDO2 (and not storage for ssh/gpg keys). But I have little experience with hw keys.

1 more reply

kerblangOP2y ago

Answering myself again, yeah, they all seem to have this private key hidden away somewhere. Didn't know that.

https://frontegg.com/blog/authentication-apps#How-Do-Authent...?

j / k navigate · click thread line to collapse

0 comments

e12e2y ago

TOTP (Time-based one-time password) need a shared secret (and two synchronized clocks) to work, so yes.

FIDO2/WebAuthn relies on public key technology - so does also have a secret key - but is designed to be kept secret from the service/server one authenticates against.

This makes more sense than with TOTP as the services only need your public key(id) on file.

https://en.wikipedia.org/wiki/Time-based_One-time_Password

https://en.m.wikipedia.org/wiki/WebAuthn

rawgabbit2y ago

Which FIDO2 service do you recommend?

I get tired reading all these security articles. The more I read, the more I feel they are hiding something.

e12e2y ago

> Which FIDO2 service do you recommend?

1 more reply

kerblangOP2y ago

Answering myself again, yeah, they all seem to have this private key hidden away somewhere. Didn't know that.

https://frontegg.com/blog/authentication-apps#How-Do-Authent...?

j / k navigate · click thread line to collapse