subscribed! great stuff, thank you so much for not just reading the settings like some other youtube trainers but providing context and behind the scenes info, hugely appreciated!
Hi Richard, I am glad you appreciate the videos, thanks for letting me know. At the moment I only make the webapp available to people that come on my Identity Masterclass - sorry!
What would be the angle a pentester would approach when auditing the FIDO2 implementation used by an application? Im speaking from a blackbox perspective.
There are two aspects here, the application and the entity that checks the authentication. They could be the same. In the case of Azure AD, Azure AD will be the relying party managing the authentication. The application could be one of the M365 suite of apps. From an application perspective you could validate the type of authentication strength required and are those requirements enforced by the application. From an IdP perspective, you could validate if: FIDO2 is required, the type of FIDO2 key and if signature validate is enforced.
What about phishing resistant as an authentication strenth and logging in from various devices. In the first demo (15.17) you had activated the FIDO key from Windows. Is that a requirement? So this isn't going to work on shared or private devices?
Hi Patrick, I initialise the key so that it cleared of all credentials and I could add a new PIN and Biometric. This is not Windows dependent, and it can be used on any device. I hope that clarifies your question.
John, I followed your steps to the letter but as soon as I test my pilot user , I put in the OTP and the it says Great job done. Then it loops repeatedly. I think this may be due to the Ssrp perhaps? This user doesn’t have a cell phone .. not kidding 😢 . how can I get around this or exclude them from forces to register a cell number . Thanks
After further digging, I believe this has to do with SSRP being enabled for All Users. I can't register Password reset for a keyonly user, did you need to apply some exclusions to your v-john user in the demo?
Hi @Doctair, sorry for the slow response, it's been a very busy few weeks! Can you provide a few more details of what you are attempting and also the video time for the demo you are referring to and I will take a look. Thanks John
@@john_craddock Hi John, , just had time to circle back on this. There is no problem with setting up the TAP and FIDO2 Keys. your Vid was perfect! My issue, was that my version of the "real" v- john, had been in a loop after the OTP is put in. I could not register the KEY in the "adding Fido key to your Account" section until I disabled SSRP for the entire Tenant. In your demo environment, did you already have SSRP disabled or selected to a specific Group, that perhaps v-john was not a part of ? Are there additional settings you had before your demo was recorded. I hope that makes sense? thanks again for the great vids. been learning a lot.
Hi John, at around 8 minutes to the video you mentioned that browsers talk directly to authenticators. Is that actually true? I asked because it seems that the browser actually makes a request of the operating system. On Windows for example, a dialog box appears from the windows operating system not from the browser. The same occurs on Android phones. How exactly does that interface work between browser and operating system and authenticator token?
Hi VivoKey, Thanks for watching! If you want to get into the actual details of the code flows have a look at the Mozilla docs here developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API and a good starting point the the Yubico "The WebAuthn standard" whitepaper. You will see CTAP2 works along side the WebAuthn APIs.
subscribed! great stuff, thank you so much for not just reading the settings like some other youtube trainers but providing context and behind the scenes info, hugely appreciated!
Awesome John. Cool stuff!
Thanks!
Refreshing , thats awesome John.
Thanks Tete, hopefully refreshing all the right parts🤣
Excellent content. Can we expect a weekly update? 😃
Hi Patrick, that's my plan! I am please you enjoyed it
Sir keep posting, I am subscriber of legend Andy, now looking forward to learning from you
Hi Sunny, thanks for joining. Don't stop following Andy 🤣🤣
It's very informative thanks.
Hi Adam, thank for watching and commenting.
Hi John, thanx for your amazing video's. I am wondering if I can download the openID connect demo/debug webapp somewhere?
Hi Richard, I am glad you appreciate the videos, thanks for letting me know. At the moment I only make the webapp available to people that come on my Identity Masterclass - sorry!
What would be the angle a pentester would approach when auditing the FIDO2 implementation used by an application? Im speaking from a blackbox perspective.
There are two aspects here, the application and the entity that checks the authentication. They could be the same. In the case of Azure AD, Azure AD will be the relying party managing the authentication. The application could be one of the M365 suite of apps. From an application perspective you could validate the type of authentication strength required and are those requirements enforced by the application. From an IdP perspective, you could validate if: FIDO2 is required, the type of FIDO2 key and if signature validate is enforced.
@@john_craddock Thank you! I appreciate you taking the time to answer
What about phishing resistant as an authentication strenth and logging in from various devices. In the first demo (15.17) you had activated the FIDO key from Windows. Is that a requirement? So this isn't going to work on shared or private devices?
Hi Patrick, I initialise the key so that it cleared of all credentials and I could add a new PIN and Biometric. This is not Windows dependent, and it can be used on any device. I hope that clarifies your question.
John, I followed your steps to the letter but as soon as I test my pilot user , I put in the OTP and the it says Great job done. Then it loops repeatedly. I think this may be due to the Ssrp perhaps? This user doesn’t have a cell phone .. not kidding 😢 . how can I get around this or exclude them from forces to register a cell number . Thanks
After further digging, I believe this has to do with SSRP being enabled for All Users. I can't register Password reset for a keyonly user, did you need to apply some exclusions to your v-john user in the demo?
Hi @Doctair, sorry for the slow response, it's been a very busy few weeks! Can you provide a few more details of what you are attempting and also the video time for the demo you are referring to and I will take a look. Thanks John
@@john_craddock Hi John, , just had time to circle back on this. There is no problem with setting up the TAP and FIDO2 Keys. your Vid was perfect! My issue, was that my version of the "real" v- john, had been in a loop after the OTP is put in. I could not register the KEY in the "adding Fido key to your Account" section until I disabled SSRP for the entire Tenant. In your demo environment, did you already have SSRP disabled or selected to a specific Group, that perhaps v-john was not a part of ? Are there additional settings you had before your demo was recorded. I hope that makes sense? thanks again for the great vids. been learning a lot.
Hi John, at around 8 minutes to the video you mentioned that browsers talk directly to authenticators. Is that actually true? I asked because it seems that the browser actually makes a request of the operating system. On Windows for example, a dialog box appears from the windows operating system not from the browser. The same occurs on Android phones. How exactly does that interface work between browser and operating system and authenticator token?
Hi VivoKey, Thanks for watching! If you want to get into the actual details of the code flows have a look at the Mozilla docs here developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API and a good starting point the the Yubico "The WebAuthn standard" whitepaper. You will see CTAP2 works along side the WebAuthn APIs.