FIDO2 hardware hits the shelves, but what are the limitations it brings with it?












1















I read every Yubico publication and looked at the webinars, but they keep some information unsaid for some reason.



When using the Yubikey 5 for Single Strong Factor, they claim the authenticator (I guess they mean the physical key's CPU) generates a key-pair for every site you enroll to with the "resident keys" method. They admit there's a limit to the number of enrolls, since they each take up a slot on the key, so it's not unlimited like U2F. I therefore wonder:




  1. What is the upper limit of slots on the new 5 series? (I don't know of other vendors offering FIDO2 yet at this time)

  2. Can one manually reset old used slots to free up room?

  3. Can a remote malicious site potentially create multiple key enrollment events, causing the key to fill up all the free slots?

  4. When I get to the login page of a service where I have more than one account enrolled, which part of the chain asks me to pick the credential I wish to login with? The local client (web browser usually) or the remote server?

  5. Can the remote server detect that two accounts have enrolled with the same key? Is that not a privacy issue users should be aware of?


Thanks for any info you know, whether FIDO2 in general or Yubico hardware specifically.



(Tried to tag this FIDO2 but I can't create a new tag)










share|improve this question

























  • Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :)

    – Ira
    Oct 27 '18 at 10:42
















1















I read every Yubico publication and looked at the webinars, but they keep some information unsaid for some reason.



When using the Yubikey 5 for Single Strong Factor, they claim the authenticator (I guess they mean the physical key's CPU) generates a key-pair for every site you enroll to with the "resident keys" method. They admit there's a limit to the number of enrolls, since they each take up a slot on the key, so it's not unlimited like U2F. I therefore wonder:




  1. What is the upper limit of slots on the new 5 series? (I don't know of other vendors offering FIDO2 yet at this time)

  2. Can one manually reset old used slots to free up room?

  3. Can a remote malicious site potentially create multiple key enrollment events, causing the key to fill up all the free slots?

  4. When I get to the login page of a service where I have more than one account enrolled, which part of the chain asks me to pick the credential I wish to login with? The local client (web browser usually) or the remote server?

  5. Can the remote server detect that two accounts have enrolled with the same key? Is that not a privacy issue users should be aware of?


Thanks for any info you know, whether FIDO2 in general or Yubico hardware specifically.



(Tried to tag this FIDO2 but I can't create a new tag)










share|improve this question

























  • Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :)

    – Ira
    Oct 27 '18 at 10:42














1












1








1








I read every Yubico publication and looked at the webinars, but they keep some information unsaid for some reason.



When using the Yubikey 5 for Single Strong Factor, they claim the authenticator (I guess they mean the physical key's CPU) generates a key-pair for every site you enroll to with the "resident keys" method. They admit there's a limit to the number of enrolls, since they each take up a slot on the key, so it's not unlimited like U2F. I therefore wonder:




  1. What is the upper limit of slots on the new 5 series? (I don't know of other vendors offering FIDO2 yet at this time)

  2. Can one manually reset old used slots to free up room?

  3. Can a remote malicious site potentially create multiple key enrollment events, causing the key to fill up all the free slots?

  4. When I get to the login page of a service where I have more than one account enrolled, which part of the chain asks me to pick the credential I wish to login with? The local client (web browser usually) or the remote server?

  5. Can the remote server detect that two accounts have enrolled with the same key? Is that not a privacy issue users should be aware of?


Thanks for any info you know, whether FIDO2 in general or Yubico hardware specifically.



(Tried to tag this FIDO2 but I can't create a new tag)










share|improve this question
















I read every Yubico publication and looked at the webinars, but they keep some information unsaid for some reason.



When using the Yubikey 5 for Single Strong Factor, they claim the authenticator (I guess they mean the physical key's CPU) generates a key-pair for every site you enroll to with the "resident keys" method. They admit there's a limit to the number of enrolls, since they each take up a slot on the key, so it's not unlimited like U2F. I therefore wonder:




  1. What is the upper limit of slots on the new 5 series? (I don't know of other vendors offering FIDO2 yet at this time)

  2. Can one manually reset old used slots to free up room?

  3. Can a remote malicious site potentially create multiple key enrollment events, causing the key to fill up all the free slots?

  4. When I get to the login page of a service where I have more than one account enrolled, which part of the chain asks me to pick the credential I wish to login with? The local client (web browser usually) or the remote server?

  5. Can the remote server detect that two accounts have enrolled with the same key? Is that not a privacy issue users should be aware of?


Thanks for any info you know, whether FIDO2 in general or Yubico hardware specifically.



(Tried to tag this FIDO2 but I can't create a new tag)







credential-manager yubico fido






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Oct 15 '18 at 18:27









Luke Walker

182




182










asked Oct 11 '18 at 10:21









IraIra

354




354













  • Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :)

    – Ira
    Oct 27 '18 at 10:42



















  • Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :)

    – Ira
    Oct 27 '18 at 10:42

















Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :)

– Ira
Oct 27 '18 at 10:42





Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :)

– Ira
Oct 27 '18 at 10:42












1 Answer
1






active

oldest

votes


















0














I can try to answer some of your concerns:




  1. Basically there are two options for hardware token: to generate and store new key pair for each registration (called resident keys) or to use key-wrapping and "store" keys on relying party's server as credentialId (https://www.w3.org/TR/webauthn/#sctn-credential-storage-modality). YubiKey 5 supports both options: when relying party asks to use your key as MFA/passwordess ("requireResidentKey": false), then new key pair is generated and stored on device; when relying party asks to use your key as second factor only, then key-wrapping is used and no internal memory is used. YubiKey 5 can store only 25 key pairs (https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2r09kph).

  2. You can only do factory reset of your token (all of nothing). This is defined by CTAP2 (https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorReset). In theory Yubico may provide custom tool for managing credentials one by one, but I'm not aware of such tool.

  3. Not unless you touch your key each time (presence detection).

  4. It depends on relying party. WebAuthn (FIDO2) allows both cases and Yubikey 5 supports them both. If website is using token only as second factor (like U2F), then it asks for specific credential. If your key is used as paswordless token AND relying party does not ask for specific credential, then platform (or browser) collects all credentials linked to relying party and displays selection dialog.

  5. Yes and no. Relying party can provide a list of known credentials (excludeList in CTAP2) to your token and then your token must deny registration if it already has credentials from that list. But this is only useful for preventing assigning same key to same account.






share|improve this answer

























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f52757708%2ffido2-hardware-hits-the-shelves-but-what-are-the-limitations-it-brings-with-it%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I can try to answer some of your concerns:




    1. Basically there are two options for hardware token: to generate and store new key pair for each registration (called resident keys) or to use key-wrapping and "store" keys on relying party's server as credentialId (https://www.w3.org/TR/webauthn/#sctn-credential-storage-modality). YubiKey 5 supports both options: when relying party asks to use your key as MFA/passwordess ("requireResidentKey": false), then new key pair is generated and stored on device; when relying party asks to use your key as second factor only, then key-wrapping is used and no internal memory is used. YubiKey 5 can store only 25 key pairs (https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2r09kph).

    2. You can only do factory reset of your token (all of nothing). This is defined by CTAP2 (https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorReset). In theory Yubico may provide custom tool for managing credentials one by one, but I'm not aware of such tool.

    3. Not unless you touch your key each time (presence detection).

    4. It depends on relying party. WebAuthn (FIDO2) allows both cases and Yubikey 5 supports them both. If website is using token only as second factor (like U2F), then it asks for specific credential. If your key is used as paswordless token AND relying party does not ask for specific credential, then platform (or browser) collects all credentials linked to relying party and displays selection dialog.

    5. Yes and no. Relying party can provide a list of known credentials (excludeList in CTAP2) to your token and then your token must deny registration if it already has credentials from that list. But this is only useful for preventing assigning same key to same account.






    share|improve this answer






























      0














      I can try to answer some of your concerns:




      1. Basically there are two options for hardware token: to generate and store new key pair for each registration (called resident keys) or to use key-wrapping and "store" keys on relying party's server as credentialId (https://www.w3.org/TR/webauthn/#sctn-credential-storage-modality). YubiKey 5 supports both options: when relying party asks to use your key as MFA/passwordess ("requireResidentKey": false), then new key pair is generated and stored on device; when relying party asks to use your key as second factor only, then key-wrapping is used and no internal memory is used. YubiKey 5 can store only 25 key pairs (https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2r09kph).

      2. You can only do factory reset of your token (all of nothing). This is defined by CTAP2 (https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorReset). In theory Yubico may provide custom tool for managing credentials one by one, but I'm not aware of such tool.

      3. Not unless you touch your key each time (presence detection).

      4. It depends on relying party. WebAuthn (FIDO2) allows both cases and Yubikey 5 supports them both. If website is using token only as second factor (like U2F), then it asks for specific credential. If your key is used as paswordless token AND relying party does not ask for specific credential, then platform (or browser) collects all credentials linked to relying party and displays selection dialog.

      5. Yes and no. Relying party can provide a list of known credentials (excludeList in CTAP2) to your token and then your token must deny registration if it already has credentials from that list. But this is only useful for preventing assigning same key to same account.






      share|improve this answer




























        0












        0








        0







        I can try to answer some of your concerns:




        1. Basically there are two options for hardware token: to generate and store new key pair for each registration (called resident keys) or to use key-wrapping and "store" keys on relying party's server as credentialId (https://www.w3.org/TR/webauthn/#sctn-credential-storage-modality). YubiKey 5 supports both options: when relying party asks to use your key as MFA/passwordess ("requireResidentKey": false), then new key pair is generated and stored on device; when relying party asks to use your key as second factor only, then key-wrapping is used and no internal memory is used. YubiKey 5 can store only 25 key pairs (https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2r09kph).

        2. You can only do factory reset of your token (all of nothing). This is defined by CTAP2 (https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorReset). In theory Yubico may provide custom tool for managing credentials one by one, but I'm not aware of such tool.

        3. Not unless you touch your key each time (presence detection).

        4. It depends on relying party. WebAuthn (FIDO2) allows both cases and Yubikey 5 supports them both. If website is using token only as second factor (like U2F), then it asks for specific credential. If your key is used as paswordless token AND relying party does not ask for specific credential, then platform (or browser) collects all credentials linked to relying party and displays selection dialog.

        5. Yes and no. Relying party can provide a list of known credentials (excludeList in CTAP2) to your token and then your token must deny registration if it already has credentials from that list. But this is only useful for preventing assigning same key to same account.






        share|improve this answer















        I can try to answer some of your concerns:




        1. Basically there are two options for hardware token: to generate and store new key pair for each registration (called resident keys) or to use key-wrapping and "store" keys on relying party's server as credentialId (https://www.w3.org/TR/webauthn/#sctn-credential-storage-modality). YubiKey 5 supports both options: when relying party asks to use your key as MFA/passwordess ("requireResidentKey": false), then new key pair is generated and stored on device; when relying party asks to use your key as second factor only, then key-wrapping is used and no internal memory is used. YubiKey 5 can store only 25 key pairs (https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2r09kph).

        2. You can only do factory reset of your token (all of nothing). This is defined by CTAP2 (https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorReset). In theory Yubico may provide custom tool for managing credentials one by one, but I'm not aware of such tool.

        3. Not unless you touch your key each time (presence detection).

        4. It depends on relying party. WebAuthn (FIDO2) allows both cases and Yubikey 5 supports them both. If website is using token only as second factor (like U2F), then it asks for specific credential. If your key is used as paswordless token AND relying party does not ask for specific credential, then platform (or browser) collects all credentials linked to relying party and displays selection dialog.

        5. Yes and no. Relying party can provide a list of known credentials (excludeList in CTAP2) to your token and then your token must deny registration if it already has credentials from that list. But this is only useful for preventing assigning same key to same account.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 19 '18 at 21:48

























        answered Nov 18 '18 at 23:12









        DissimilisDissimilis

        312110




        312110
































            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f52757708%2ffido2-hardware-hits-the-shelves-but-what-are-the-limitations-it-brings-with-it%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Guess what letter conforming each word

            Port of Spain

            Run scheduled task as local user group (not BUILTIN)