I've implemented second factor authentication for my web app via FIDO U2F, and am testing using a Yubikey.
I have read that it is best practice to associate multiple hardware keys in case one is lost, but I wanted to know what the security implications were, as documentation is fairly sparse.
When an authentication attempt is made, I query the server for the challenge. The challenge is constructed using the key handle I've saved during registration, but how would I know what key the user is going to use, since the request for the challenge doesn't contain any identifying information about which key is used?
I can send back multiple challenges based on the key handles I have for that user, but even then, in the browser, I can only attempt signing of one key at a time, unless I am missing something?
Also, silly question, but during key registration, I received a keyHandle
and publicKey
back. Is one of them okay to share, or are both supposed to be kept private (the publicKey
name infers that it is okay to share)?