2

I read every Yubico publication and looked at the webinars, but they keep some information unsaid for some reason.

When using the Yubikey 5 for Single Strong Factor, they claim the authenticator (I guess they mean the physical key's CPU) generates a key-pair for every site you enroll to with the "resident keys" method. They admit there's a limit to the number of enrolls, since they each take up a slot on the key, so it's not unlimited like U2F. I therefore wonder:

  1. What is the upper limit of slots on the new 5 series? (I don't know of other vendors offering FIDO2 yet at this time)
  2. Can one manually reset old used slots to free up room?
  3. Can a remote malicious site potentially create multiple key enrollment events, causing the key to fill up all the free slots?
  4. When I get to the login page of a service where I have more than one account enrolled, which part of the chain asks me to pick the credential I wish to login with? The local client (web browser usually) or the remote server?
  5. Can the remote server detect that two accounts have enrolled with the same key? Is that not a privacy issue users should be aware of?

Thanks for any info you know, whether FIDO2 in general or Yubico hardware specifically.

(Tried to tag this FIDO2 but I can't create a new tag)

Luke Walker
  • 333
  • 1
  • 4
Ira
  • 193
  • 4
  • Nada? Nobody knows and Yubico are not telling. At least I earned a "Tumbleweed badge" from StackOverflow. Thanks, I guess :) – Ira Oct 27 '18 at 10:42

2 Answers2

4

I can try to answer some of your concerns:

  1. Basically there are two options for hardware token: to generate and store new key pair for each registration (called resident keys) or to use key-wrapping and "store" keys on relying party's server as credentialId (https://www.w3.org/TR/webauthn/#sctn-credential-storage-modality). YubiKey 5 supports both options: when relying party asks to use your key as MFA/passwordess ("requireResidentKey": false), then new key pair is generated and stored on device; when relying party asks to use your key as second factor only, then key-wrapping is used and no internal memory is used. YubiKey 5 can store only 25 key pairs (https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2r09kph).
  2. You can only do factory reset of your token (all of nothing). This is defined by CTAP2 (https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorReset). In theory Yubico may provide custom tool for managing credentials one by one, but I'm not aware of such tool.
  3. Not unless you touch your key each time (presence detection).
  4. It depends on relying party. WebAuthn (FIDO2) allows both cases and Yubikey 5 supports them both. If website is using token only as second factor (like U2F), then it asks for specific credential. If your key is used as paswordless token AND relying party does not ask for specific credential, then platform (or browser) collects all credentials linked to relying party and displays selection dialog.
  5. Yes and no. Relying party can provide a list of known credentials (excludeList in CTAP2) to your token and then your token must deny registration if it already has credentials from that list. But this is only useful for preventing assigning same key to same account.
Dissimilis
  • 450
  • 4
  • 13
  • 1
    _when relying party asks to use your key as MFA/passwordess ("requireResidentKey": false), then new key pair is generated and stored on device_ I guess "requireResidentKey: **True**", no? – BrnVrn Apr 24 '19 at 21:01
1

For Question 2. I have cleared FIDO registrations from the yubikey 5 series by using the yubikey Manger CLI Tool "ykman.exe"

# PowerShell
Set-Location -Path "$env:ProgramFiles\Yubico\YubiKey Manager"
.\ykman.exe
Julien Zweverink
  • 11
  • 4