The Relying Party (a web site you want to authenticate to) sends a random challenge. If your root is compromised you're also done for.įor WebAuthn (and its predecessor U2F) none of this is correct. Also, it is probably possible to get the time-stamp within the kernel. The question is then: does timestamping the response reduce the attack surface enough compared to the downsides? I'd argue yes since the described attack can offset a failed login and the actual attack after a MITM. The verification process takes place at authentication so that would just tell you the current time, something you already know, it's useless.
But these OTP strings are generated by the Yubikey, not by Yubico so there's no way for them to be "signed" in this way. Just have yubikey sign the current time, you're already trusting them to correctly verify the key string.īy "them" you presumably mean Yubico not the Yubikey.
0 kommentar(er)
