Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> PCs/ laptops/ etc. can use little USB hardware devices, from outfits like Yubico

This is actually built into most computers now -- Windows Hello, and Apple has something similar. Websites can check the attestation response to specifically block those, however. (Seems like Github allows it, and I've written code that allows it.)

> I think some iPhones do facial recognition instead?

Yup, they use whatever you use to unlock your phone. So if it's a FaceID phone, you can use FaceID to log in. You can also hold up your NFC Yubikey to the back of the phone and use that, even if you registered the key over USB on a PC! It's really, really good.



> Websites can check the attestation response to specifically block those, however. (Seems like Github allows it, and I've written code that allows it.)

For the client side of things WebAuthn contains a standard option to block/allow "platform" authenticators, which I empirically know includes Windows Hello, and I'm not sure about Apple's or other equivalents. Of course you'd still want to verify the attestation on the server side.


> Of course you'd still want to verify the attestation on the server side.

You almost certainly do not want to do this for a public web site. If you insist on attestation right thinking people will hit "No" and block the site.

Think about it, what is attestation doing for you in this scenario? You're saying that you don't trust your users/ customers to pick the authentication methods that work for them, and instead you're going to insist on methods you prefer. Do you also choose each user's passwords? "No, sorry, that resembles an English word, we have selected the password 48'J3X$q)M3NBfr_2 for you instead" ?

In a corporate environment this could make sense. If you issue every employee a $100 FooCorp Security Key with their photo engraved on it, maybe you decide to require attestation that the keys used are FooCorp brand keys to prevent employees adding some off-brand Yubico product. I don't know whether that's a good idea, but it's no crazier than lots of corporate policies, however doing this for a public site makes no sense, please just skip attestation.


Yes! Any developer that forces the user to use a specific type of device needs to be smacked around a bit (or more accurately, the manager that told them to do it that way). Banks are notorious for this, since their stupid 2FA apps will do insane things like scan your app list for common root-only apps and non-vendor ROMs (even with no root). Some even have a vendor whitelist that obscure brands (like OnePlus used to be) aren't on and in both cases, their only response is "well just factory reset your phone" or "just buy a different device". I've switched banks twice because of this insanity.

And there's no reason to do this! It's not like they're liable if I get my money stolen. If they prove 2FA was used and the security issue was on my device, not their app/server, it's my fault! As you said, if you're a custodian of something sensitive (an account, documents, money..), not the owner of it, it makes sense that the owner shouldd be able to dictate how you should protect it (like if you're accessing confidential company documents using 2FA). But in any other case, the service provider should never be allowed to force you to use a certain type of authentication device.


Can you hold your NFC Yubikey to the back of an iPhone? I thought Apple didn’t do NFC, appart from ApplePay?


Your recollection was correct but is now a few years out of date. As is typical Apple they intro'd it (in 2017 IIRC) as a 1st party dogfood item, started read only. Then in 2019 with iOS 13 allowing far more power including full range of two way authentication capability. Yubico blogged about it [0] after the announcement, and Apple's HIG on use of NFC [1] is also available. Also, Safari itself needed to have support added, but that too is now available.

So old workarounds like using the lightning port are no longer necessary, though AFAIK are still supported. It's nice to have it there as well since to really be most effective every platform a user has needs to support hardware 2FA. If something still needs SMS or OTP or whatever that becomes the weakest link.

----

0: https://www.yubico.com/blog/yubico-ios-authentication-expand...

1: https://developer.apple.com/design/human-interface-guideline...


My NFC Yubikey works fine with my iPhone 8.


It's built into Apple devices yeah (touch ID) but this is only supported in Chrome and Safari.

Firefox does NOT support Touch ID for webauthn




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: