Implements FIDO2/WebAuthn hardware security key authentication including registration ceremonies, authentication flows, YubiKey enrollment, and passkey migration strategies. Builds a complete relying party server using the python-fido2 library that supports cross-platform authenticators, resident key (discoverable credential) workflows, and user verification policies. Activates for requests involving FIDO2 implementation, WebAuthn registration, hardware security key enrollment, YubiKey integration, or passkey migration from password-based authentication.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-hardware-security-key-authenticationExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-hardware-security-key-authentication from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-hardware-security-key-authentication. Access via /implementing-hardware-security-key-authentication in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-hardware-security-key-authentication |
| description | 'Implements FIDO2/WebAuthn hardware security key authentication including registration ceremonies, authentication flows, YubiKey enrollment, and passkey migration strategies. Builds a complete relying party server using the python-fido2 library that supports cross-platform authenticators, resident key (discoverable credential) workflows, and user verification policies. Activates for requests involving FIDO2 implementation, WebAuthn registration, hardware security key enrollment, YubiKey integration, or passkey migration from password-based authentication. ' |
| domain | cybersecurity |
| subdomain | identity-and-access-management |
| tags | - FIDO2 - WebAuthn - hardware-security-key - YubiKey - passkeys - passwordless-authentication - CTAP2 |
| version | 1.0.0 |
| author | mukul975 |
| license | Apache-2.0 |
| atlas_techniques | - AML.T0051 - AML.T0054 - AML.T0056 |
| nist_ai_rmf | - MEASURE-2.7 - MEASURE-2.5 - GOVERN-6.1 - MAP-5.1 |
| nist_csf | - PR.AA-01 - PR.AA-02 - PR.AA-05 |
Do not use without HTTPS in production (WebAuthn requires a secure origin), for systems where users cannot physically access a USB/NFC port, or as the sole authentication factor without a recovery mechanism for lost keys.
fido2 (python-fido2 >= 2.0.0), flask, and cryptography libraries installedConfigure the WebAuthn relying party (RP) identity and server:
PublicKeyCredentialRpEntity with the relying party name (display name shown to users) and RP ID (the effective domain of the application). The RP ID must be a registrable domain suffix of the origin -- for example, example.com is valid for https://auth.example.com but other.com is not.Fido2Server class from the python-fido2 library with the RP entity. The server handles challenge generation, attestation verification, and assertion validation.none: No attestation requested (simplest, recommended for most deployments)indirect: Attestation may be provided but CA may anonymize itdirect: Full attestation chain from the authenticator's manufacturerenterprise: Device-identifying attestation for managed environmentscredential_id (binary), public_key (COSE key), sign_count (uint32 for clone detection), user_id, created_at, last_used, display_name, and transports (USB, NFC, BLE, internal).Implement the WebAuthn registration flow to create new credentials:
server.register_begin() with the user entity (PublicKeyCredentialUserEntity containing user ID, username, and display name), the list of existing credentials for the user (to prevent duplicate registration), and options for user_verification and authenticator_attachment.authenticator_attachment: cross-platform restricts to roaming authenticators (USB/NFC keys)authenticator_attachment: platform restricts to built-in authenticators (Touch ID, Windows Hello)resident_key: required forces creation of a discoverable credential (passkey) stored on the authenticatoruser_verification: required enforces PIN or biometric verification on the authenticatornavigator.credentials.create() with the options from the server. The authenticator generates a new key pair, stores the private key in its secure element, and returns the public key, credential ID, attestation object, and client data JSON.server.register_complete() with the saved state and the client response. The server verifies the attestation signature, extracts the credential public key and ID, and returns AuthenticatorData containing the credential data to store.credential_data (contains credential_id, public_key as COSE key, and sign_count) to the database associated with the user account.Implement the WebAuthn authentication flow to verify credentials:
server.authenticate_begin() with the list of registered credentials for the user (or omit for discoverable credential flows where the authenticator identifies the user). Set user_verification based on the assurance level required.navigator.credentials.get() with the server options. The authenticator locates the matching credential, performs user verification if required, increments the signature counter, and signs the challenge with the private key.server.authenticate_complete() with the saved state, registered credentials, and the client response. The server verifies the assertion signature against the stored public key and validates the signature counter has incremented (clone detection).sign_count for the credential. If the new sign count is not greater than the stored value, the key may have been cloned -- flag this as a security event.userHandle identifies the user.Implement organizational YubiKey provisioning workflows:
clientPin command.Plan and execute migration from passwords to passkeys:
| Term | Definition |
|---|---|
| FIDO2 | An umbrella term for the combination of the W3C WebAuthn API and the FIDO Alliance CTAP2 protocol, enabling passwordless and phishing-resistant authentication using public key cryptography |
| WebAuthn | The W3C Web Authentication API that allows web applications to create and use public key credentials via navigator.credentials.create() (registration) and navigator.credentials.get() (authentication) |
| CTAP2 | Client to Authenticator Protocol version 2; the protocol used by the browser (client) to communicate with external authenticators over USB, NFC, or BLE |
| Relying Party (RP) | The web application or service that requests authentication; identified by its RP ID (a domain) and RP name (display string) |
| Discoverable Credential (Passkey) | A credential stored on the authenticator that can be enumerated without the RP providing a credential ID, enabling username-less authentication flows |
| Attestation | Cryptographic proof from the authenticator about its identity and properties; used by the RP to verify the authenticator model and manufacturer |
| AAGUID | Authenticator Attestation Globally Unique Identifier; a 128-bit value identifying the authenticator model (e.g., all YubiKey 5 NFC devices share the same AAGUID) |
| Sign Count | A monotonically increasing counter maintained by the authenticator and included in each assertion; used by the RP to detect cloned authenticators |
| User Verification (UV) | Local authentication on the authenticator itself (PIN, fingerprint, face recognition) that proves the person holding the authenticator is the legitimate owner |
Fido2Server for relying party implementation and CtapHidDevice/Fido2Client for direct authenticator communication over USBgenerate_registration_options(), verify_registration_response(), generate_authentication_options(), and verify_authentication_response() functionsContext: A software company wants to replace TOTP-based MFA with hardware security keys for its 50-person development team. Developers have root access to production infrastructure and are high-value targets for phishing attacks. The company has standardized on YubiKey 5 NFC.
Approach:
authenticator_attachment: cross-platform and user_verification: requiredPitfalls:
user_verification: discouraged which allows anyone who physically possesses the key to authenticate without a PINContext: An e-commerce platform wants to offer passkey-based passwordless login to its 2 million users as an alternative to passwords, reducing account takeover from credential stuffing and phishing.
Approach:
resident_key: required to create discoverable credentials that enable username-less loginauthenticator_attachmentnavigator.credentials.get() with an empty allowCredentials list, prompting the authenticator to present available passkeysPitfalls:
## FIDO2 Deployment Report
**Application**: auth.example.com
**RP ID**: example.com
**Date**: 2026-03-19
### Enrollment Summary
- **Total Users**: 50
- **Users with Primary Key**: 50 (100%)
- **Users with Backup Key**: 47 (94%)
- **Authenticator Models**: YubiKey 5 NFC (48), YubiKey 5C NFC (2)
### Authentication Metrics (Last 30 Days)
- **Total Authentications**: 12,847
- **FIDO2 Authentications**: 12,203 (95.0%)
- **TOTP Fallback**: 644 (5.0%) -- grace period active
- **Mean Authentication Time**: 2.3 seconds
- **Authentication Failures**: 127 (0.99%)
- User cancelled: 89
- Timeout: 23
- Invalid signature: 12
- Sign count regression (possible clone): 3
### Security Events
- **Lost Key Reports**: 2
- User A: primary key lost 2026-03-12, revoked, backup promoted, new backup enrolled
- User B: backup key damaged 2026-03-15, revoked, replacement enrolled
### Credential Details
| User | Key Label | AAGUID | Registered | Last Used | Sign Count |
|------|-----------|--------|------------|-----------|------------|
| alice | YubiKey Primary | 2fc0579f... | 2026-02-15 | 2026-03-19 | 847 |
| alice | YubiKey Backup | 2fc0579f... | 2026-02-15 | 2026-03-01 | 12 |
| bob | YubiKey Primary | 2fc0579f... | 2026-02-16 | 2026-03-19 | 631 |
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Keeps context tight: implementing-hardware-security-key-authentication is the kind of skill you can hand to a new teammate without a long onboarding doc.
We added implementing-hardware-security-key-authentication from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Useful defaults in implementing-hardware-security-key-authentication — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: implementing-hardware-security-key-authentication is focused, and the summary matches what you get after install.
Keeps context tight: implementing-hardware-security-key-authentication is the kind of skill you can hand to a new teammate without a long onboarding doc.
Registry listing for implementing-hardware-security-key-authentication matched our evaluation — installs cleanly and behaves as described in the markdown.
We added implementing-hardware-security-key-authentication from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
implementing-hardware-security-key-authentication has been reliable in day-to-day use. Documentation quality is above average for community skills.
I recommend implementing-hardware-security-key-authentication for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Registry listing for implementing-hardware-security-key-authentication matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 70