Question for everyone cheering adoption of opt-in or even mandatory U2F: is there a guarantee sites can't prevent use of soft U2F?
-
-
Replying to @RichFelker
As in "software-only"? Not only no but heck no; the protocol is fairly flexible about what's at the client end.
1 reply 0 retweets 0 likes -
Replying to @pikhq @RichFelker
Only real rule is that it has to be able to sign messages with the key matching the public key the site was told about in setup.
1 reply 0 retweets 0 likes -
Replying to @pikhq
I wonder about things like banks giving you a physical usb device and requiring you to use its key.
1 reply 0 retweets 0 likes -
Replying to @RichFelker
They could, but it'd break spec and require them to somehow get the private key. Most U2F keys don't release that ever.
2 replies 0 retweets 0 likes -
-
Replying to @pikhq
Problem then is accumulation of tons of physical devices you have to carry, & incompat with devices that can't access hw (like strict vm).
7:57 AM - 7 Oct 2017
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.