undefined | Better HN

0 pointsdroopyEyelids2y ago0 comments

This is included webauthn, which is the basis for both passkeys and fido2 auth.

To sign in, you are sent a 'challenge', and must sign it and return it. The challenge includes a "Relaying Party Identifier" (RPID) which is basically the domain of the site requesting authentication.

That way, if a phishing domain prompts you for auth, they can not proxy your response because the RPID you signed will not match the authentic domain, and therefore be invalid.

0 comments

tonymet2y ago

This is good but how to make it work for phone, email and txt messages ?

droopyEyelidsOP2y ago

The way I see it, it works for all the above. Passkeys are available on all devices, and whatever contact method the attackers use will harvest a signed response with an invalid RPID (a credential that won't work).

Is that the point you were making?

tonymet2y ago

Yeah I’m thinking of how to integrate authn into messaging and phone apps. One idea is to add the phone to the web certificate so a remote check can be made during the call

j / k navigate · click thread line to collapse

0 pointsdroopyEyelids2y ago0 comments

This is included webauthn, which is the basis for both passkeys and fido2 auth.

That way, if a phishing domain prompts you for auth, they can not proxy your response because the RPID you signed will not match the authentic domain, and therefore be invalid.

0 comments

tonymet2y ago

This is good but how to make it work for phone, email and txt messages ?

droopyEyelidsOP2y ago

Is that the point you were making?

tonymet2y ago

Yeah I’m thinking of how to integrate authn into messaging and phone apps. One idea is to add the phone to the web certificate so a remote check can be made during the call

j / k navigate · click thread line to collapse