Today I read this blog entry by Yubico regarding Asynchronous Remote Key Generation. This proposal solves, in my view, the largest outstanding problem in the widescale adoption of challenge-response hardware authentication keys.
Some background:
The basic problem is this: hardware keys are currently impractical for most users, because you need to make backup keys in order to prevent losing access to accounts. But currently, to make a backup, you need to physically handle and enrol multiple keys every time a new account is registered secured with FIDO/FIDO2/U2F. The requirement for ready access to all keys mitigates the benefit of keeping backups-- the point of backups is to spread risk, i.e. leave a hardware key in a bank deposit box. Essentially, the current situation presents significant usability and/or security barriers.
The idea of Asynchronous Remote Key Generation (ARKG) is basically to allow hardware keys the authority to enrol other hardware keys. In this manner, a user may maintain an off-site backup that they need only fetch if they lose their primary key.
My question is this: what is the status of Yubico's proposed extension to the WebAuthn protocol? Additionally, is this something that presently manufactured hardware keys can implement, or will we have to wait for a product refresh?
