zlacker

[parent] [thread] 4 comments
1. ylk+(OP)[view] [source] 2024-12-26 23:24:33
I agree that it's annoying that there's now a limit on the amount of credentials you can store on hardware keys. But while older Yubikeys only support 25 resident keys, models with firmware 5.7 onwards support 100. That probably makes it feasible to exclusively store passkeys in hardware. https://www.yubico.com/blog/empowering-enterprise-security-a...

However, I don't know whether it's possible to delete only a single resident key you no longer need.

replies(1): >>g_p+V
2. g_p+V[view] [source] 2024-12-26 23:35:01
>>ylk+(OP)
Yeah, a fair point (though if you can't manage keys one by one that seems a massive usability issue and oversight with no safe path to resolution).

This adds another step needing considered for a user, as finite storage means a whole edge case to consider (can't register as slots full), and no simple actionable step to take ("which account would you like to never be able to log into again?" or "sorry you need to wipe this key and lose everything, or buy another one")

I feel there is a usability aspect of FIDO2 (for non-resident MFA) that is being overlooked - the paradigm was simple - a physical key you don't lose, and you can have multiple keys. The gotcha was no way to replicate backup keys, which becomes fairly difficult for users. But hey - passkeys launched with no export or migration process between closed device ecosystems!

From my perspective though, I won't use passkeys until I get sufficient control over them to be allowed to decide if I want to make them "resident" or not. (I don't want resident keys!!)

I want to use non-resident keys everywhere as a hardware-backed second factor that is phishing resistant, without capacity limitations (so zero cognitive burden on whether to use or not).

It feels like a regression for passkeys to be forgetting about what (for me at least) was the core basic use-case of FIDO2 - as a highly secure second factor for someone who already can manage storage of secrets in software, and just wants high assurance phishing resistant MFA during their conventional login process.

replies(1): >>former+RK
◧◩
3. former+RK[view] [source] [discussion] 2024-12-27 12:15:35
>>g_p+V
> Yeah, a fair point (though if you can't manage keys one by one that seems a massive usability issue and oversight with no safe path to resolution).

You can, it’s part of CTAP2 and various apps like Yubico Authenticator are available to do it.

It’s not user-friendly, but it is possible.

replies(1): >>g_p+ld2
◧◩◪
4. g_p+ld2[view] [source] [discussion] 2024-12-27 23:48:36
>>former+RK
Thanks - yeah it seems like this is supported in FIDO 2.1 (but not 2.0). I suspect this is only implemented in Yubikey 5.7 and above.

Once the technology is there to support it, hopefully the user experience part can be improved with time.

Ref in the standard - https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-cl...

replies(1): >>former+Xn5
◧◩◪◨
5. former+Xn5[view] [source] [discussion] 2024-12-29 11:45:49
>>g_p+ld2
It's available since at least Yubikey 5.2 (~2020).

edit: Indeed, that's the firmware revision credential management was added, per this blog post: https://www.yubico.com/blog/whats-new-in-yubikey-firmware-5-...

I'm honestly very annoyed with Yubico that they just froze their product line-up circa 2018 and pretend the major changes in firmware (5.2, 5.7) don't matter at all and don't warrant a separate SKU.

[go to top]