FIDO2 hardware hits the shelves, but what are the limitations it brings with it?
I read every Yubico publication and looked at the webinars, but they keep some information unsaid for some reason.
When using the Yubikey 5 for Single Strong Factor, they claim the authenticator (I guess they mean the physical key's CPU) generates a key-pair for every site you enroll to with the "resident keys" method. They admit there's a limit to the number of enrolls, since they each take up a slot on the key, so it's not unlimited like U2F. I therefore wonder:
- What is the upper limit of slots on the new 5 series? (I don't know of other vendors offering FIDO2 yet at this time)
- Can one manually reset old used slots to free up room?
- Can a remote malicious site potentially create multiple key enrollment events, causing the key to fill up all the free slots?
- When I get to the login page of a service where I have more than one account enrolled, which part of the chain asks me to pick the credential I wish to login with? The local client (web browser usually) or the remote server?
- Can the remote server detect that two accounts have enrolled with the same key? Is that not a privacy issue users should be aware of?
Thanks for any info you know, whether FIDO2 in general or Yubico hardware specifically.
(Tried to tag this FIDO2 but I can't create a new tag)
credential-manager yubico fido
add a comment |
I read every Yubico publication and looked at the webinars, but they keep some information unsaid for some reason.
When using the Yubikey 5 for Single Strong Factor, they claim the authenticator (I guess they mean the physical key's CPU) generates a key-pair for every site you enroll to with the "resident keys" method. They admit there's a limit to the number of enrolls, since they each take up a slot on the key, so it's not unlimited like U2F. I therefore wonder:
- What is the upper limit of slots on the new 5 series? (I don't know of other vendors offering FIDO2 yet at this time)
- Can one manually reset old used slots to free up room?
- Can a remote malicious site potentially create multiple key enrollment events, causing the key to fill up all the free slots?
- When I get to the login page of a service where I have more than one account enrolled, which part of the chain asks me to pick the credential I wish to login with? The local client (web browser usually) or the remote server?
- Can the remote server detect that two accounts have enrolled with the same key? Is that not a privacy issue users should be aware of?
Thanks for any info you know, whether FIDO2 in general or Yubico hardware specifically.
(Tried to tag this FIDO2 but I can't create a new tag)
credential-manager yubico fido
Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :)
– Ira
Oct 27 '18 at 10:42
add a comment |
I read every Yubico publication and looked at the webinars, but they keep some information unsaid for some reason.
When using the Yubikey 5 for Single Strong Factor, they claim the authenticator (I guess they mean the physical key's CPU) generates a key-pair for every site you enroll to with the "resident keys" method. They admit there's a limit to the number of enrolls, since they each take up a slot on the key, so it's not unlimited like U2F. I therefore wonder:
- What is the upper limit of slots on the new 5 series? (I don't know of other vendors offering FIDO2 yet at this time)
- Can one manually reset old used slots to free up room?
- Can a remote malicious site potentially create multiple key enrollment events, causing the key to fill up all the free slots?
- When I get to the login page of a service where I have more than one account enrolled, which part of the chain asks me to pick the credential I wish to login with? The local client (web browser usually) or the remote server?
- Can the remote server detect that two accounts have enrolled with the same key? Is that not a privacy issue users should be aware of?
Thanks for any info you know, whether FIDO2 in general or Yubico hardware specifically.
(Tried to tag this FIDO2 but I can't create a new tag)
credential-manager yubico fido
I read every Yubico publication and looked at the webinars, but they keep some information unsaid for some reason.
When using the Yubikey 5 for Single Strong Factor, they claim the authenticator (I guess they mean the physical key's CPU) generates a key-pair for every site you enroll to with the "resident keys" method. They admit there's a limit to the number of enrolls, since they each take up a slot on the key, so it's not unlimited like U2F. I therefore wonder:
- What is the upper limit of slots on the new 5 series? (I don't know of other vendors offering FIDO2 yet at this time)
- Can one manually reset old used slots to free up room?
- Can a remote malicious site potentially create multiple key enrollment events, causing the key to fill up all the free slots?
- When I get to the login page of a service where I have more than one account enrolled, which part of the chain asks me to pick the credential I wish to login with? The local client (web browser usually) or the remote server?
- Can the remote server detect that two accounts have enrolled with the same key? Is that not a privacy issue users should be aware of?
Thanks for any info you know, whether FIDO2 in general or Yubico hardware specifically.
(Tried to tag this FIDO2 but I can't create a new tag)
credential-manager yubico fido
credential-manager yubico fido
edited Oct 15 '18 at 18:27
Luke Walker
182
182
asked Oct 11 '18 at 10:21
IraIra
354
354
Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :)
– Ira
Oct 27 '18 at 10:42
add a comment |
Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :)
– Ira
Oct 27 '18 at 10:42
Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :)
– Ira
Oct 27 '18 at 10:42
Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :)
– Ira
Oct 27 '18 at 10:42
add a comment |
1 Answer
1
active
oldest
votes
I can try to answer some of your concerns:
- Basically there are two options for hardware token: to generate and store new key pair for each registration (called resident keys) or to use key-wrapping and "store" keys on relying party's server as credentialId (https://www.w3.org/TR/webauthn/#sctn-credential-storage-modality). YubiKey 5 supports both options: when relying party asks to use your key as MFA/passwordess (
"requireResidentKey": false
), then new key pair is generated and stored on device; when relying party asks to use your key as second factor only, then key-wrapping is used and no internal memory is used. YubiKey 5 can store only 25 key pairs (https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2r09kph). - You can only do factory reset of your token (all of nothing). This is defined by CTAP2 (https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorReset). In theory Yubico may provide custom tool for managing credentials one by one, but I'm not aware of such tool.
- Not unless you touch your key each time (presence detection).
- It depends on relying party. WebAuthn (FIDO2) allows both cases and Yubikey 5 supports them both. If website is using token only as second factor (like U2F), then it asks for specific credential. If your key is used as paswordless token AND relying party does not ask for specific credential, then platform (or browser) collects all credentials linked to relying party and displays selection dialog.
- Yes and no. Relying party can provide a list of known credentials (excludeList in CTAP2) to your token and then your token must deny registration if it already has credentials from that list. But this is only useful for preventing assigning same key to same account.
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f52757708%2ffido2-hardware-hits-the-shelves-but-what-are-the-limitations-it-brings-with-it%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I can try to answer some of your concerns:
- Basically there are two options for hardware token: to generate and store new key pair for each registration (called resident keys) or to use key-wrapping and "store" keys on relying party's server as credentialId (https://www.w3.org/TR/webauthn/#sctn-credential-storage-modality). YubiKey 5 supports both options: when relying party asks to use your key as MFA/passwordess (
"requireResidentKey": false
), then new key pair is generated and stored on device; when relying party asks to use your key as second factor only, then key-wrapping is used and no internal memory is used. YubiKey 5 can store only 25 key pairs (https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2r09kph). - You can only do factory reset of your token (all of nothing). This is defined by CTAP2 (https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorReset). In theory Yubico may provide custom tool for managing credentials one by one, but I'm not aware of such tool.
- Not unless you touch your key each time (presence detection).
- It depends on relying party. WebAuthn (FIDO2) allows both cases and Yubikey 5 supports them both. If website is using token only as second factor (like U2F), then it asks for specific credential. If your key is used as paswordless token AND relying party does not ask for specific credential, then platform (or browser) collects all credentials linked to relying party and displays selection dialog.
- Yes and no. Relying party can provide a list of known credentials (excludeList in CTAP2) to your token and then your token must deny registration if it already has credentials from that list. But this is only useful for preventing assigning same key to same account.
add a comment |
I can try to answer some of your concerns:
- Basically there are two options for hardware token: to generate and store new key pair for each registration (called resident keys) or to use key-wrapping and "store" keys on relying party's server as credentialId (https://www.w3.org/TR/webauthn/#sctn-credential-storage-modality). YubiKey 5 supports both options: when relying party asks to use your key as MFA/passwordess (
"requireResidentKey": false
), then new key pair is generated and stored on device; when relying party asks to use your key as second factor only, then key-wrapping is used and no internal memory is used. YubiKey 5 can store only 25 key pairs (https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2r09kph). - You can only do factory reset of your token (all of nothing). This is defined by CTAP2 (https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorReset). In theory Yubico may provide custom tool for managing credentials one by one, but I'm not aware of such tool.
- Not unless you touch your key each time (presence detection).
- It depends on relying party. WebAuthn (FIDO2) allows both cases and Yubikey 5 supports them both. If website is using token only as second factor (like U2F), then it asks for specific credential. If your key is used as paswordless token AND relying party does not ask for specific credential, then platform (or browser) collects all credentials linked to relying party and displays selection dialog.
- Yes and no. Relying party can provide a list of known credentials (excludeList in CTAP2) to your token and then your token must deny registration if it already has credentials from that list. But this is only useful for preventing assigning same key to same account.
add a comment |
I can try to answer some of your concerns:
- Basically there are two options for hardware token: to generate and store new key pair for each registration (called resident keys) or to use key-wrapping and "store" keys on relying party's server as credentialId (https://www.w3.org/TR/webauthn/#sctn-credential-storage-modality). YubiKey 5 supports both options: when relying party asks to use your key as MFA/passwordess (
"requireResidentKey": false
), then new key pair is generated and stored on device; when relying party asks to use your key as second factor only, then key-wrapping is used and no internal memory is used. YubiKey 5 can store only 25 key pairs (https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2r09kph). - You can only do factory reset of your token (all of nothing). This is defined by CTAP2 (https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorReset). In theory Yubico may provide custom tool for managing credentials one by one, but I'm not aware of such tool.
- Not unless you touch your key each time (presence detection).
- It depends on relying party. WebAuthn (FIDO2) allows both cases and Yubikey 5 supports them both. If website is using token only as second factor (like U2F), then it asks for specific credential. If your key is used as paswordless token AND relying party does not ask for specific credential, then platform (or browser) collects all credentials linked to relying party and displays selection dialog.
- Yes and no. Relying party can provide a list of known credentials (excludeList in CTAP2) to your token and then your token must deny registration if it already has credentials from that list. But this is only useful for preventing assigning same key to same account.
I can try to answer some of your concerns:
- Basically there are two options for hardware token: to generate and store new key pair for each registration (called resident keys) or to use key-wrapping and "store" keys on relying party's server as credentialId (https://www.w3.org/TR/webauthn/#sctn-credential-storage-modality). YubiKey 5 supports both options: when relying party asks to use your key as MFA/passwordess (
"requireResidentKey": false
), then new key pair is generated and stored on device; when relying party asks to use your key as second factor only, then key-wrapping is used and no internal memory is used. YubiKey 5 can store only 25 key pairs (https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2r09kph). - You can only do factory reset of your token (all of nothing). This is defined by CTAP2 (https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorReset). In theory Yubico may provide custom tool for managing credentials one by one, but I'm not aware of such tool.
- Not unless you touch your key each time (presence detection).
- It depends on relying party. WebAuthn (FIDO2) allows both cases and Yubikey 5 supports them both. If website is using token only as second factor (like U2F), then it asks for specific credential. If your key is used as paswordless token AND relying party does not ask for specific credential, then platform (or browser) collects all credentials linked to relying party and displays selection dialog.
- Yes and no. Relying party can provide a list of known credentials (excludeList in CTAP2) to your token and then your token must deny registration if it already has credentials from that list. But this is only useful for preventing assigning same key to same account.
edited Nov 19 '18 at 21:48
answered Nov 18 '18 at 23:12
DissimilisDissimilis
312110
312110
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f52757708%2ffido2-hardware-hits-the-shelves-but-what-are-the-limitations-it-brings-with-it%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :)
– Ira
Oct 27 '18 at 10:42