Hacker News new | past | comments | ask | show | jobs | submit login

there is attestation of the registration device in webauthn

so you can tell that a token was signed by an official yubikey, apple secure enclave, tpm, etc

for yubikeys the attestation signing certificate is shared between devices, but this number is limited

so you could rate limit... just it would be a horrible experience when you are limited




What about for software implementations like 1Password and Bitwarden?


They can't fake the attestation from hardware implementations so you could just reject keys from software implementations.


Wouldn't companies/bots/etc. still just get around this by buying many such hardware devices and automating their usage instead?

reply


So what about users that don't have any such hardware?


Use a CAPTCHA?


Yes of course, but I hope this is part of the plan. Too often new technologies seem to leave some people apart, because the deciders don't think (or don't want to think) about those who don't want to (or can't) embrace a specific technology.


Yeah but that breaks real usecases from real users.

It's really annoying, PayPal does this too. They only support passkeys in safari or chrome, even though it works just fine with a yubikey in Firefox. They just go out of their way to stop it from working. Really really annoying.

And they also refuse to enroll more than one token even for the basic fido2 mfa.


I don’t see that in the code. But you’re right that there is something heuristic you can do.


Here is a relevant discussion about it in S/O: https://stackoverflow.com/questions/67797804/how-to-distingu...


the cynic in me thinks this will become mandatory on major websites at some future point

so you won't be able to log into youtube unless you have a TPM approved by Google




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: