FIDO Alliance publishes new spec to let users move passkeys across providers

(fidoalliance.org)

225 points Terretta | 1 comments | 15 Oct 24 12:18 UTC | HN request time: 0.254s | source

Show context

anilakar ◴[16 Oct 24 06:29 UTC] No.41856170[source]▶

OK. Let me know when I can migrate FIDO credentials from old Yubikeys to new ones.

Earlier this year I almost lost a domain because $REGISTRAR forced 2FA and I had forgotten to add them to my key spreadsheet.

replies(4): >>41856221 #>>41856513 #>>41857751 #>>41862113 #

ithkuil ◴[16 Oct 24 06:40 UTC] No.41856221[source]▶

>>41856170 #

I think the whole point of yubikeys is to make this impossible.

IIUC basically these devices contain one single immutable random secret that is stored in a tamper proof hardware and can never leave the device nor be written into another device.

When you "create" new keys what actually happens under the hood is that a new value gets stored in flash memory which is the _combined_ with the hard secret with some key derivation scheme and the resulting secret is then the one used to perform cryptographic operations

replies(3): >>41856445 #>>41856512 #>>41864391 #

1. eikenberry ◴[16 Oct 24 22:17 UTC] No.41864391[source]▶

>>41856221 #

> I think the whole point of yubikeys is to make this impossible.

It is and it is why Yubikeys are useless for most cases outside of the workplace.

↑