0

Context

I was answering a question about how YubiKey can generate "infinite" keypairs for Fido U2F but doesn't need to store them locally.

This leads to my initial question:

Initial Question

Can I register with a FIDO U2F service more than once, with the same physical key?

Which I tentatively answer here:

No? Gave github a try with the same key twice, and breakpointed the exception:

DOMException: The user attempted to register an authenticator 
that contains one of the credentials already registered with the relying party.

Main Question

Can a modified webauthn browser api allow same key to be registered multiple times? By ignoring the existing RegistedKey list? The server has no way of differentiating?

According to fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html#idl-def-RegisteredKey

It seems the server will ask the client/yubikey to check a list of existing registered keys, and expect the client to answer truthfully whether it is registered already or not (or some generic error / no response). I theorize that it is possible, for a SecurityKey implementing the WrappedKey method to reregister by generating a new keypair with the same master key and the server will accept it.

PathToLife
  • 133
  • 6
  • The purpose of this question was to explore if a physical device could be registered twice. In hindsight, I do recognize that a user could generate any number of arbitrary key pairs to register, not associated with a physical security key. There probably exists emulated security key programs to facilitate multiple registrations on "one physical device (PC)". – PathToLife Jan 29 '22 at 23:56
  • End goal would be to see if a single security key - e.g. a yubikey - could be registered twice just by defeating / database sync error with the browser check. In which case removal of a single security key may need removal of all keys to guarantee key is no longer accepted. – PathToLife Jan 30 '22 at 00:03

0 Answers0