0

I've implemented second factor authentication for my web app via FIDO U2F, and am testing using a Yubikey.

I have read that it is best practice to associate multiple hardware keys in case one is lost, but I wanted to know what the security implications were, as documentation is fairly sparse.

When an authentication attempt is made, I query the server for the challenge. The challenge is constructed using the key handle I've saved during registration, but how would I know what key the user is going to use, since the request for the challenge doesn't contain any identifying information about which key is used?

I can send back multiple challenges based on the key handles I have for that user, but even then, in the browser, I can only attempt signing of one key at a time, unless I am missing something?

Also, silly question, but during key registration, I received a keyHandle and publicKey back. Is one of them okay to share, or are both supposed to be kept private (the publicKey name infers that it is okay to share)?

Julian H. Lam
  • 143
  • 5
  • 1
    Most sites that allow me to use multiple second factors let me have a default one, and a link to switch to a different one... I.e., Google asks for my U2F dongle, but I can switch to burning one of my one-time-use tokens.—If you want to let users have multiple U2F dongles, you can let them name it, and they can pick which to use. – Ghedipunk Jan 05 '22 at 21:17
  • Thanks, that's helpful! – Julian H. Lam Jan 06 '22 at 02:33
  • Keep in mind that "What I've seen" isn't the same as "This is advice that infosec professionals give." I left the comment in hopes that it'll be helpful, but it isn't something that I've looked into enough to be confident to write a full answer about it. – Ghedipunk Jan 06 '22 at 06:47

0 Answers0