OK. Let me know when I can migrate FIDO credentials from old Yubikeys to new ones.
Earlier this year I almost lost a domain because $REGISTRAR forced 2FA and I had forgotten to add them to my key spreadsheet.
replies(4):
Earlier this year I almost lost a domain because $REGISTRAR forced 2FA and I had forgotten to add them to my key spreadsheet.
IIUC basically these devices contain one single immutable random secret that is stored in a tamper proof hardware and can never leave the device nor be written into another device.
When you "create" new keys what actually happens under the hood is that a new value gets stored in flash memory which is the _combined_ with the hard secret with some key derivation scheme and the resulting secret is then the one used to perform cryptographic operations
People lose credentials all the time, from social security cards, to drivers licenses, and passports. Say a natural disaster hits and your laptop with Yubikey gets swept away in a flood? Congratulations, you're hosed!
Individual people do not have the resources that a financial institution has. Getting people to adopt unique passwords is already an incredible hurdle, getting people to treat a hardware token literally more carefully than their social security card is bizarrely out of touch with reality.
As for me, I use Keepass to store my Passkeys. I use a password and Yubikey to secure it. The Yubikey has the same exact private keys set as 2 others, so I can keep 1 on my keychain, 1 in my safe, and 1 at a relative's house. And even this would be an unreasonable effort to expect from the majority of people.