Windows Hello FIDO2 certification gets you closer to passwordless

Neil Goldstein 

You did read correctly.

The simple fact that shared secrets are used already makes them less secure, because like they are called already they are shared and saved on your side (Mobile, Tablet, Apps, Screenshots,..) and on the servers. This issues doesn't exist with FIDO U2F/FIDO2 because it's based on public-key cryptography and only the generated public keys are on the servers while the private keys never leaves the hardware.

And yeah I consider WinAuth a good solution to backup those shared secrets, because you can easily set it up to encrypt the database with a HMAC that it generates in a yubikey (Everything is automated and only needs some clicks) so that this yubikey then needs to be plugged in and also needs to be touched before you can generate codes and accessing the secret keys etc. So if someone steals the encrypted database, it's near useless. But it alternatively also supports password and/or encrypting it so that the database can only be decrypted on this specific machine. 

It also has some very convenient features like generating and showing a QR Matrix for each account you added to the database, so that you easily can add/scan it on other devices/apps if needed and of course exporting the whole database in various formats to back it up on a usbstick that you then as an example can put in a safe.

And of course it's also very convenient to have the codes ready to copy&paste without searching the mobile and reading them from screen and type them.

Which now also leads us to another security issue with those generated codes, they aren't phishing proof, because everything that a user needs to enter theoretically also can be phished. Just another issue that doesn't exists with FIDO U2F/FIDO2 because there the users don't need to enter anything and everything happens in the hardware.

I btw. also have a Feitian BiosPass2 K27 for FIDO2, it's a very good and convenient device.