FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)

225 points Terretta | 3 comments | 15 Oct 24 12:18 UTC | HN request time: 0s | source

Show context

anilakar ◴[16 Oct 24 06:29 UTC] No.41856170[source]▶

OK. Let me know when I can migrate FIDO credentials from old Yubikeys to new ones.

Earlier this year I almost lost a domain because $REGISTRAR forced 2FA and I had forgotten to add them to my key spreadsheet.

replies(4): >>41856221 #>>41856513 #>>41857751 #>>41862113 #

1. akira2501 ◴[16 Oct 24 07:33 UTC] No.41856513[source]▶

>>41856170 #

The recommendation is to use two keys or to always have an additional backup method configured. So you should never be in a position where a migration is required.

replies(2): >>41856552 #>>41857729 #

2. Animats ◴[16 Oct 24 07:39 UTC] No.41856552[source]▶

>>41856513 (TP) #

Yes. My other Yubikey is in a bank vault.

I do not want a remote "authentication provider".

3. anilakar ◴[16 Oct 24 11:06 UTC] No.41857729[source]▶

>>41856513 (TP) #

Hardware tokens are physical objects that are subject to mechanical wear and tear and can be lost. Hardware tokens are also subject to ending up on a hardware attestation blacklist because of security weaknesses.

I have already had to replace two Yubikeys for the aforementioned reasons, so FIDO hardware token migration is a very real scenario that desperately needs to be addressed.

Also mind that there are too many services that allow you to only use one FIDO token, or even worse, only one primary 2FA method in addition to backup codes.

↑