As in "software-only"? Not only no but heck no; the protocol is fairly flexible about what's at the client end.
Question for everyone cheering adoption of opt-in or even mandatory U2F: is there a guarantee sites can't prevent use of soft U2F?
-
-
-
Only real rule is that it has to be able to sign messages with the key matching the public key the site was told about in setup.
-
I wonder about things like banks giving you a physical usb device and requiring you to use its key.
-
They could, but it'd break spec and require them to somehow get the private key. Most U2F keys don't release that ever.
-
No, it only requires them to have the public key.
-
Right. Ooops.
-
Problem then is accumulation of tons of physical devices you have to carry, & incompat with devices that can't access hw (like strict vm).
End of conversation
New conversation -
-
-
No, there is no such a guarantee. U2F includes remote attestation. Vendors are supposed to share attestation certs every batch for privacy.
-
However, given the average competence level in our industry, I doubt anybody will ever check attestation certificates.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.