Question about hardware security keys
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
Question about hardware security keys
I recently got a Thetis Pro security key, one good feature is it has both USB A and C ports to work with a mobile phone as well as older PCs without USB C. Unfortunately it doesn't natively support Linux except through Chrome, I was able to add it as an authentication mechanism for my Google account but of course it would only work on Chrome which I don't use regularly. I wanted to know if there's any open standard for hardware keys, or in theory it could be created for Pale Moon. In the security devices dialog, is there a way to add a hardware security device, or is it something that needs to be built in? I looked at Floorp for comparison and it just has an extra module for reading OS certificates.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
- RealityRipple
- Keeps coming back
- Posts: 763
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
- Contact:
Re: Question about hardware security keys
If I recall, isn't that supposed to be handled by a PKCS#11 module or something?
Re: Question about hardware security keys
I would guess the websites use https://en.wikipedia.org/wiki/WebAuthn as its made by google too? And the HW keys with FIDO2 should be compatible with it.
Re: Question about hardware security keys
Wasn't there wider support for FIDO and U2F? Surprised it only works with Chrome.
{{This headspace for lease}}
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Question about hardware security keys
Off-topic:
I don't know much about hardware security keys. But if I had one, I would be super paranoid about losing it, or it being something that can fail because it is a physical device.
I can imagine how in some types of work environments hardware keys may be desirable or even necessary.
But for personal use, I way prefer to use a complex master password (that is only stored in my head) for my browser's password manager. I think I might be missing something?
I don't know much about hardware security keys. But if I had one, I would be super paranoid about losing it, or it being something that can fail because it is a physical device.
I can imagine how in some types of work environments hardware keys may be desirable or even necessary.
But for personal use, I way prefer to use a complex master password (that is only stored in my head) for my browser's password manager. I think I might be missing something?
Laptop 1: Windows 10 64-bit, i7 @ 2.80GHz, 16GB, NVIDIA GeForce MX450.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.
Re: Question about hardware security keys
Off-topic:
Although for server administration I'm really shifting to PKI for SSH login etc. still with key passwords so in case of worst case compromise of my system they can't be used, but not having a superuser login with a plain password is considerably more secure for that
I agree. I used a similar hardware device for Certum code signing in the past because that's the only option they offered, and I was never comfortable with the fact that that one device would become a single point of failure without a way to have a backup (since the crypto secret was locked inside the chip in the hardware).
Nothing wrong with using a master password -- I do the same (in a standalone password manager, that is, with strong encryption, for really important things - browser + MP for convenience for websites)
Although for server administration I'm really shifting to PKI for SSH login etc. still with key passwords so in case of worst case compromise of my system they can't be used, but not having a superuser login with a plain password is considerably more secure for that
{{This headspace for lease}}
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Question about hardware security keys
Off-topic:
Exactly. From the little I have read online, a bad or lost key/dongle needs to be physically replaced which sounds like a nightmare in terms of losing access and lost time before the protected data or thing can be used again.
Laptop 1: Windows 10 64-bit, i7 @ 2.80GHz, 16GB, NVIDIA GeForce MX450.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.
Re: Question about hardware security keys
Off-topic:
Most services offer alternate 2FA methods if one fails; so one can still fallback to the authenticator app or even backup codes(provided you saved them already) if the hardware key isn't available.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Re: Question about hardware security keys
Off-topic:
Good to know, and not as bad as I thought. When offered, I always make a note of recovery codes or similar, because you never know when it might be needed.
Laptop 1: Windows 10 64-bit, i7 @ 2.80GHz, 16GB, NVIDIA GeForce MX450.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.
Re: Question about hardware security keys
Off-topic:
You can also buy multiple keys and either register all of them to the service or, if the key allows it, "clone" them so they are the same. Of course if you lose one and don't have a backup on you it doesn't help, but you can have a safety backup in a protected place for disaster recovery.
Re: Question about hardware security keys
I've anyway just bought it to see how it works, the key itself stays in my house only. In Pale Moon when I tried to add it to my Google account, it wasn't detected.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
- Basilisk-Dev
- Lunatic
- Posts: 433
- Joined: 2022-03-23, 16:41
- Location: Chamber of Secrets
- Contact:
Re: Question about hardware security keys
Off-topic:
Do people not keep backup hardware devices? I have two separate Yubikeys, one is a backup that I keep in a hidden place that only I know of and the other is the main one that I use most of the time that I keep at my desk/in my bag when I travel.
Do people not keep backup hardware devices? I have two separate Yubikeys, one is a backup that I keep in a hidden place that only I know of and the other is the main one that I use most of the time that I keep at my desk/in my bag when I travel.
Re: Question about hardware security keys
Off-topic:
That is often not an option. if you can't extract the cryptographic key from the hardware device, you can't have a backup. The only option then is to have twice the expense for 2 access keys, and that isn't always supported either... so, it becomes complicated and a risk.
{{This headspace for lease}}
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
- Basilisk-Dev
- Lunatic
- Posts: 433
- Joined: 2022-03-23, 16:41
- Location: Chamber of Secrets
- Contact:
Re: Question about hardware security keys
On a standard FIDO/FIDO2/WebAuthn/Passkey hardware key, there is no way to extract the private key (that would defeat the security of being something that only the real user has), instead, many good websites allow associating more than one hardware key (and associated public key blob) with the same user account, thus allowing one key to be stored somewhere as a backup.
Also just to control the rumors, these keys are NOT in any way PKCS#11 devices that can store arbitrary certificate/private key combinations as used for things like e-mail decryption, code signing, TLS mutual authentication etc. Instead these devices provide a much simpler (originally) concept where a unique anonymous key is generated for each website and the user authentication becomes a simple yes/no to sending the public key, often with a single push button on the hardware device . In this security model, the Browser tells the hardware key which website the public key will be sent to, then the device responds with "YES, user pressed button, here's the public key for that site and a signature on a challenge" or "NO, user pressed cancel in implied browser alert, hardware response discarded by browser to protect user privacy" .
Later versions of the spec contain silly complications such as a way for the website to confirm the brand and model of the hardware key (in case a website policy requires one certified brand), and a way to bypass the button press (obviously insecure). But this is not unusual for web standards, formal or otherwise .
Major sites using this browser feature include Amazon (the megastore/hosting provider), Microsoft, Swedish schools (reportedly) and the Danish government login for citizens ("MitID"). Browsers supporting this web feature include Firefox and Chrome. The feature inventor is Swedish/American company YubiKey .