FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)

225 points Terretta | 1 comments | 15 Oct 24 12:18 UTC | HN request time: 0s | source

Show context

anilakar ◴[16 Oct 24 06:29 UTC] No.41856170[source]▶

OK. Let me know when I can migrate FIDO credentials from old Yubikeys to new ones.

Earlier this year I almost lost a domain because $REGISTRAR forced 2FA and I had forgotten to add them to my key spreadsheet.

replies(4): >>41856221 #>>41856513 #>>41857751 #>>41862113 #

ithkuil ◴[16 Oct 24 06:40 UTC] No.41856221[source]▶

>>41856170 #

I think the whole point of yubikeys is to make this impossible.

IIUC basically these devices contain one single immutable random secret that is stored in a tamper proof hardware and can never leave the device nor be written into another device.

When you "create" new keys what actually happens under the hood is that a new value gets stored in flash memory which is the _combined_ with the hard secret with some key derivation scheme and the resulting secret is then the one used to perform cryptographic operations

replies(3): >>41856445 #>>41856512 #>>41864391 #

1. pushupentry1219 ◴[16 Oct 24 07:22 UTC] No.41856445[source]▶

>>41856221 #

Yeah whole point of YubiKey is that the physical key is REQUIRED and can't be cloned. So no, you won't be able export anything off of it.

You're correct about how key creation works as well AFAIK.

↑