Passwordless authentication with FIDO2—beyond just the web

Posted Feb 21, 2023 22:29 UTC (Tue) by mss (subscriber, #138799)
In reply to: Passwordless authentication with FIDO2—beyond just the web by k8to
Parent article: Passwordless authentication with FIDO2—beyond just the web

Yes, such device most probably would need to have a display to see what's being signed and some method to independently verify the request origin - like a shared secret with each one.

It would probably still need USB or NFC connection to exchange the data to be signed and return the signature - but no WiFi Internet-connected devices please.

The payment industry had a primitive implementation of such idea called Chip Authentication Program years ago.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 3:35 UTC (Wed) by stressinduktion (subscriber, #46452) [Link] (1 responses)

> The payment industry had a primitive implementation of such idea called Chip Authentication Program years ago.

Something alike is in use in Germany with HBCI/FinTS (same with the electronic id cards). The security class 3 readers have display and pin pad to verify and confirm a transaction's details. Myself, I use a ReinerSCT cyberjack komfort for doing that. Most(?) financial institutes support it, but somehow they are not keen on handing out the necessary cards anymore and instead prefer to use mobile apps to get the confirmations (at least in the consumer sector). Anyway, it is handy in particular for automated processing.

Are there any other countries using a standardized online banking protocol?

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 9:58 UTC (Wed) by MortenSickel (subscriber, #3238) [Link]

"Are there any other countries using a standardized online banking protocol?"

In Norway, we have the bankid system (https://www.bankid.no/en/private/) that is used for more or less all banks and a lot of other places where a secure login is needed. It can be used either by a code generator or a mobile phone app - no plugin devices.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 28, 2023 16:09 UTC (Tue) by spacefrogg (subscriber, #119608) [Link]

In Germany, it is also common to validate single bank transactions via QR-Codes as a newer implementation of CAP. The added benefit (from my point of view) is that the authentication device is airgapped. While it can read the QR code, you must input the resulting TAN manually into the browser. So, you can be reasonably sure that you only authenticate the transaction your are interested in (and no hidden transaction that runs on a compromised device). The added bonus of QR codes is that you can validate their content independently with your smartphone etc. So, you don't even have to trust the down link.