Question about hardware security keys

General project discussion.
Use this as a last resort if your topic does not fit in any of the other boards but it still on-topic.
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 5327
Joined: 2015-12-09, 15:45
Contact:

Question about hardware security keys

Unread post by moonbat » 2024-10-02, 12:11

I recently got a Thetis Pro security key, one good feature is it has both USB A and C ports to work with a mobile phone as well as older PCs without USB C. Unfortunately it doesn't natively support Linux except through Chrome, I was able to add it as an authentication mechanism for my Google account but of course it would only work on Chrome which I don't use regularly. I wanted to know if there's any open standard for hardware keys, or in theory it could be created for Pale Moon. In the security devices dialog, is there a way to add a hardware security device, or is it something that needs to be built in? I looked at Floorp for comparison and it just has an extra module for reading OS certificates.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
RealityRipple
Keeps coming back
Keeps coming back
Posts: 760
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Question about hardware security keys

Unread post by RealityRipple » 2024-10-02, 17:20

If I recall, isn't that supposed to be handled by a PKCS#11 module or something?

Potkeny
Fanatic
Fanatic
Posts: 150
Joined: 2018-08-03, 17:00

Re: Question about hardware security keys

Unread post by Potkeny » 2024-10-02, 19:21

I would guess the websites use https://en.wikipedia.org/wiki/WebAuthn as its made by google too? And the HW keys with FIDO2 should be compatible with it.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36556
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Question about hardware security keys

Unread post by Moonchild » 2024-10-02, 19:48

Wasn't there wider support for FIDO and U2F? Surprised it only works with Chrome.
"A programmer is someone who solves a problem you didn't know you had, in a way you don't understand." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
suzyne
Astronaut
Astronaut
Posts: 568
Joined: 2023-06-28, 22:43
Location: Australia

Re: Question about hardware security keys

Unread post by suzyne » 2024-10-02, 21:34

Off-topic:
I don't know much about hardware security keys. But if I had one, I would be super paranoid about losing it, or it being something that can fail because it is a physical device.

I can imagine how in some types of work environments hardware keys may be desirable or even necessary.

But for personal use, I way prefer to use a complex master password (that is only stored in my head) for my browser's password manager. I think I might be missing something?
Laptop 1: Windows 10 64-bit, i7 @ 2.80GHz, 16GB, NVIDIA GeForce MX450.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36556
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Question about hardware security keys

Unread post by Moonchild » 2024-10-02, 21:51

Off-topic:
suzyne wrote:
2024-10-02, 21:34
But if I had one, I would be super paranoid about losing it, or it being something that can fail because it is a physical device.
I agree. I used a similar hardware device for Certum code signing in the past because that's the only option they offered, and I was never comfortable with the fact that that one device would become a single point of failure without a way to have a backup (since the crypto secret was locked inside the chip in the hardware).
suzyne wrote:
2024-10-02, 21:34
But for personal use, I way prefer to use a complex master password (that is only stored in my head) for my browser's password manager. I think I might be missing something?
Nothing wrong with using a master password :) -- I do the same (in a standalone password manager, that is, with strong encryption, for really important things - browser + MP for convenience for websites)
Although for server administration I'm really shifting to PKI for SSH login etc. still with key passwords so in case of worst case compromise of my system they can't be used, but not having a superuser login with a plain password is considerably more secure for that ;)
"A programmer is someone who solves a problem you didn't know you had, in a way you don't understand." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
suzyne
Astronaut
Astronaut
Posts: 568
Joined: 2023-06-28, 22:43
Location: Australia

Re: Question about hardware security keys

Unread post by suzyne » 2024-10-03, 02:42

Off-topic:
Moonchild wrote:
2024-10-02, 21:51
with the fact that that one device would become a single point of failure without a way to have a backup
Exactly. From the little I have read online, a bad or lost key/dongle needs to be physically replaced which sounds like a nightmare in terms of losing access and lost time before the protected data or thing can be used again.
Laptop 1: Windows 10 64-bit, i7 @ 2.80GHz, 16GB, NVIDIA GeForce MX450.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 5327
Joined: 2015-12-09, 15:45
Contact:

Re: Question about hardware security keys

Unread post by moonbat » 2024-10-03, 03:02

Off-topic:
suzyne wrote:
2024-10-03, 02:42
Exactly. From the little I have read online, a bad or lost key/dongle needs to be physically replaced which sounds like a nightmare in terms of losing access and lost time before the protected data or thing can be used again.
Most services offer alternate 2FA methods if one fails; so one can still fallback to the authenticator app or even backup codes(provided you saved them already) if the hardware key isn't available.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
suzyne
Astronaut
Astronaut
Posts: 568
Joined: 2023-06-28, 22:43
Location: Australia

Re: Question about hardware security keys

Unread post by suzyne » 2024-10-03, 03:33

Off-topic:
moonbat wrote:
2024-10-03, 03:02
Most services offer alternate 2FA methods if one fails; so one can still fallback to the authenticator app or even backup codes(provided you saved them already) if the hardware key isn't available.
Good to know, and not as bad as I thought. When offered, I always make a note of recovery codes or similar, because you never know when it might be needed.
Laptop 1: Windows 10 64-bit, i7 @ 2.80GHz, 16GB, NVIDIA GeForce MX450.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.

Potkeny
Fanatic
Fanatic
Posts: 150
Joined: 2018-08-03, 17:00

Re: Question about hardware security keys

Unread post by Potkeny » 2024-10-03, 05:09

Off-topic:
suzyne wrote:
2024-10-03, 03:33
Off-topic:
moonbat wrote:
2024-10-03, 03:02
Most services offer alternate 2FA methods if one fails; so one can still fallback to the authenticator app or even backup codes(provided you saved them already) if the hardware key isn't available.
Good to know, and not as bad as I thought. When offered, I always make a note of recovery codes or similar, because you never know when it might be needed.
You can also buy multiple keys and either register all of them to the service or, if the key allows it, "clone" them so they are the same. Of course if you lose one and don't have a backup on you it doesn't help, but you can have a safety backup in a protected place for disaster recovery.

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 5327
Joined: 2015-12-09, 15:45
Contact:

Re: Question about hardware security keys

Unread post by moonbat » 2024-10-03, 06:33

I've anyway just bought it to see how it works, the key itself stays in my house only. In Pale Moon when I tried to add it to my Google account, it wasn't detected.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
Basilisk-Dev
Lunatic
Lunatic
Posts: 429
Joined: 2022-03-23, 16:41
Location: Chamber of Secrets
Contact:

Re: Question about hardware security keys

Unread post by Basilisk-Dev » 2024-10-03, 20:27

Off-topic:
Do people not keep backup hardware devices? I have two separate Yubikeys, one is a backup that I keep in a hidden place that only I know of and the other is the main one that I use most of the time that I keep at my desk/in my bag when I travel.
Basilisk Project Owner

viewtopic.php?f=61&p=230756

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36556
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Question about hardware security keys

Unread post by Moonchild » 2024-10-03, 20:37

Off-topic:
Basilisk-Dev wrote:
2024-10-03, 20:27
Do people not keep backup hardware devices?
That is often not an option. if you can't extract the cryptographic key from the hardware device, you can't have a backup. The only option then is to have twice the expense for 2 access keys, and that isn't always supported either... so, it becomes complicated and a risk.
"A programmer is someone who solves a problem you didn't know you had, in a way you don't understand." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Basilisk-Dev
Lunatic
Lunatic
Posts: 429
Joined: 2022-03-23, 16:41
Location: Chamber of Secrets
Contact:

Re: Question about hardware security keys

Unread post by Basilisk-Dev » 2024-10-03, 20:43

Off-topic:
Moonchild wrote:
2024-10-03, 20:37
if you can't extract the cryptographic key from the hardware device, you can't have a backup.
Why do you need to extract the key? I just register both keys with whatever services I use that accept hardware keys.
Basilisk Project Owner

viewtopic.php?f=61&p=230756

jb_wisemo
Moonbather
Moonbather
Posts: 66
Joined: 2016-01-27, 02:09

Re: Question about hardware security keys

Unread post by jb_wisemo » 2024-10-23, 10:43

Basilisk-Dev wrote:
2024-10-03, 20:43
Off-topic:
Moonchild wrote:
2024-10-03, 20:37
if you can't extract the cryptographic key from the hardware device, you can't have a backup.
Why do you need to extract the key? I just register both keys with whatever services I use that accept hardware keys.
On a standard FIDO/FIDO2/WebAuthn/Passkey hardware key, there is no way to extract the private key (that would defeat the security of being something that only the real user has), instead, many good websites allow associating more than one hardware key (and associated public key blob) with the same user account, thus allowing one key to be stored somewhere as a backup.

Also just to control the rumors, these keys are NOT in any way PKCS#11 devices that can store arbitrary certificate/private key combinations as used for things like e-mail decryption, code signing, TLS mutual authentication etc. Instead these devices provide a much simpler (originally) concept where a unique anonymous key is generated for each website and the user authentication becomes a simple yes/no to sending the public key, often with a single push button on the hardware device . In this security model, the Browser tells the hardware key which website the public key will be sent to, then the device responds with "YES, user pressed button, here's the public key for that site and a signature on a challenge" or "NO, user pressed cancel in implied browser alert, hardware response discarded by browser to protect user privacy" .

Later versions of the spec contain silly complications such as a way for the website to confirm the brand and model of the hardware key (in case a website policy requires one certified brand), and a way to bypass the button press (obviously insecure). But this is not unusual for web standards, formal or otherwise .

Major sites using this browser feature include Amazon (the megastore/hosting provider), Microsoft, Swedish schools (reportedly) and the Danish government login for citizens ("MitID"). Browsers supporting this web feature include Firefox and Chrome. The feature inventor is Swedish/American company YubiKey .

Post Reply