Hacker News new | past | comments | ask | show | jobs | submit login

Do all these 2FA apps - like say Microsoft Authenticator - have these hidden/not-so-hidden private keys? From other posts it sounds like you can view the token and write it down... MA doesn't have that, I don't think.



TOTP (Time-based one-time password) need a shared secret (and two synchronized clocks) to work, so yes.

FIDO2/WebAuthn relies on public key technology - so does also have a secret key - but is designed to be kept secret from the service/server one authenticates against.

For use - FIDO2 is more like a multi-use id. Like a driver's license many services accept as id. If you lose it - you don't restore a backup copy from a safe - you use your passport until you get a new one issued.

This makes more sense than with TOTP as the services only need your public key(id) on file.

https://en.wikipedia.org/wiki/Time-based_One-time_Password

https://en.m.wikipedia.org/wiki/WebAuthn


Which FIDO2 service do you recommend?

I get tired reading all these security articles. The more I read, the more I feel they are hiding something.


> Which FIDO2 service do you recommend?

Generally what comes with your phone and one or two hw tokens for backup? Looks like token2.com is a reasonable choice if you just want NFC/USBc and FIDO2 (and not storage for ssh/gpg keys). But I have little experience with hw keys.


ssh and pgp keys are not based on the similar functionality.

the keys from Token2 support *-sk key storage

https://www.token2.com/site/page/using-token2-fido2-security...

But not PGP


Thank you for the reminder that ssh now has FIDO2 support!


Answering myself again, yeah, they all seem to have this private key hidden away somewhere. Didn't know that.

https://frontegg.com/blog/authentication-apps#How-Do-Authent...?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: