SoylentNews is people
SoylentNews
Worries arise about security of new WebAuthn protocol:
A team of security researchers has raised the alarm about some cryptography-related issues with the newly released WebAuthn passwordless authentication protocol.
WebAuthn was officially launched earlier this year, in April. It's a standard developed under the patronage of the World Wide Web Consortium (W3C), the official body for all web standards.
The protocol was based on the FIDO 2.0 Web API, donated to the W3C by the FIDO Alliance, an industry consortium that includes some of the tech world's largest companies, whose role was to create interoperable authentication methods and standards.
But at the end of last month, the team of security researchers at Paragon Initiative, known for their strong background in cryptography, have taken a close look at this new protocol making its way into browsers like Chrome, Edge, and Firefox.
In a security audit, researchers say they identified various issues with the algorithms used to generate the attestation keys (signatures).
They point out that the W3C WebAuthn specification recommends the use of outdated algorithms such as the FIDO Alliance's Elliptic Curve (EC) Direct Anonymous Attestation (DAA), or RSASSA-PKCS1-v1_5.
The Paragon team detailed a long list of issues with both algorithms in a technical report, here, but in short, they are vulnerable to quite a few known cryptographic attacks. In particular, they took an issue with the use of RSASSA-PKCS1-v1_5.
"PKCS1v1.5 is bad. The exploits are almost old enough to legally drink alcohol in the United States," they said.
(Score: 1, Interesting) by Anonymous Coward on Monday September 10 2018, @05:58PM
i'm pretty much a luddite when it comes to all of this BS. two factor auth "solutions" compromise user privacy. oauth is fundamentally insecure. i'm sure this stupid horseshit is no exception. of course, what do i know, i don't use disqus either, ffs...