I login maybe once a year on my domain registrar's website (Gandi). Something has changed in both Firefox/Chromium since last time, because neither of them accepted any of my Yubikeys anymore: it prompted for a PIN, and I don't remember setting one! (I set one on the OpenPGP application, but that PIN is not accepted for FIDO2).

Temporarily disabling FIDO2 allowed the login to succeed as documented here: https://support.yubico.com/s/article/Understanding-YubiKey-PINs https://support.yubico.com/s/article/Enabling-or-disabling-applications
Note that this does *not* reset FIDO2 (Which IIUC would delete the FIDO U2F key too).
In that case IIUC it uses FIDO U2F instead of FIDO2 with a PIN. Although this seems like a bug, why doesn't the browser offer me the option of using U2F when I reject providing a FIDO2 PIN? Clearly all this worked fine several years ago when I initially registered the Yubikeys.
#FIDO2 #Yubikey #U2F

Some time ago I mentioned Yubikey migration. Unfortunately in work I have to deal with #Microsoft and #Google services. Besides confusing #authentication settings UI I noticed interesting thing - both services in own way mixed #U2F and #passkeys in settings. It basically wasn't possible to know what I was going to set. Even terms used on popups were different in different process stages.

Later I could check it was saved on Yubikey as passkeys and it was probably the only way to be sure.

Now I wonder, why these settings were so mixed. Did they do it purposely? Just their "normal" UI/UX chaos?
Anyone who uses more mainstream, passkey-supporting services saw something similar? I didn't saw any other passkeys "in the wild" to compare.

That nerdy urge to configure pam-u2f on work computer  

#nerd #u2f #yubikey

Actually, you just significantly reduced my security, Gandi. You should have let the users manage this transition, or at least warn them ahead of time what was going to happen if they didn't.

Replacing unphishable auth (old school U2F is still quite functional!) with phishable auth (email) without user consent is not acceptable.

#Gandi #SecurityKeys #U2F

Wow! I've just discovered that it's possible to use Secure Element as #u2f in GrapheneOS via hw-fido2-provider [1] (btw, thank you @S1m) in Vanadium even without any external token. Successfully added my Pixel smartphone as second factor device to my addy.io account. It works finally!

1. https://codeberg.org/s1m/hw-fido2-provider

#GrapheneOS #vanadium #vanadiumbrowser #fido2 #u2f #addyio #AnonAddy

had a nice (but crowded) time at the anarchist book fair workshops today, specifically the one about not owning a phone! lots of great convos, philosophies, and modes of existence without cell phone!

lots of interest about, and shoutouts for @cwtch, @delta, and @briar -- e2ee (group) messengers that dont require a phone number (as a replacement for @signalapp)

lots of interest in #U2F, #FIDO2 hardware #2FA devices (as a replacement for SMS or push). i also recommend @keepassxc for keeping TOTP tokens!

really appreciated hearing all the side conversations about @tails, @Mastodon, and other decentralized tech

they are already planning the next one in 2026! anarchistbookfairamsterdam.org @AFA

#anarchistbookfairamsterdam #amsterdam #anarchism #bookfair #anarchistbookfair #activism #netherlands #antifascism

Ważna informacja dla użytkowników kluczy U2F na X (Twitterze) [poradnik]

X (Twitter) ogłosił, że 10 listopada całkowicie przestanie używać starej domeny twitter[.]com. O ile znaczna większość funkcjonalności platformy została bezproblemowo przeniesiona na x[.]com, o tyle jedna – dość istotna – nie daje takiej możliwości. TLDR: Mowa o sprzętowych kluczach U2F (choć precyzyjnie mówiąc, chodzi o urządzenia w standardzie FIDO2), które...

#WBiegu #2Fa #Awareness #Klucze #Twitter #U2f #X

https://sekurak.pl/wazna-informacja-dla-uzytkownikow-kluczy-u2f-na-x-twitterze-poradnik/

#doas doesn't seem to support #U2F on #NixOS it's weird and should work but doesn't as /etc/pam.d/doas doesn't contain pam_u2f.so and /etc/pam.d/sudo does contain it..

FYI: I have added "security.pam.services.sudo.u2fAuth = true;" to config and as I see there is no same option for doas and I also tried other hacky ways with no hope.