Registering multiple devices without common interfaces #1429
Comments
|
If an account is to be accessible only via WebAuthn authentication, then yes indeed, you will at some point need to connect two authenticators to the same client device if you want to register both of them. There's some work towards recovery solutions and using platform authenticators via Bluetooth. Ultimately, though, this is a question about the RP's and/or user's security policy, not really about the WebAuthn authentication mechanism.
I'm not sure what you mean by this. There's nothing in the spec that says RPs should limit how many authenticators a user can have - in fact, it recommends the opposite:
|
|
What I meant is a theoretical scenario where you have registered a device as authenticator and the device itself does not support any form of roaming authenticator (no USB, Bluetooth, NFC, etc.). How would you be able to register another device if there a no token that you can use to bridge the gap between the devices? As far as I can tell there is no way to successfully register another authenticator (and therefore device) in this case, so you could only use the second device after disabling webauthn on the first device and registering the second device. But now you can't register the first one again. I think that this scenario is mostly theoretical because most devices have multiple interfaces for roaming authenticators.
This answers the current state of my question but I still wonder if there are any plans for the future (as discussed in #151 ) |
Correct: you wouldn't be able to. You would have to relax authentication requirements (if the RP allows it), transplant/delegate the session, or authenticate by some other mechanism.
That's not necessarily true - it would depend on the RP's implementation and/or security policy.
Sorry, there are not. However: unless the RP restricts allowable authenticators via attestation (which few RPs are likely to do), there's nothing stopping users from using authenticators (say, browser extensions) that allow exporting/importing credentials. |
I'm wondering how a user could register another authenticator for a service when both devices don't share at least one interface for a roaming authenticator. In #151 OTPs or e-mails are presented as solution to authenticate the user once on the new device without the FIDO2-authenticator, therefore enabling the registration of this new device. This seems useful to me but would create weaknesses.
Is a solution for this in any form planned for the future? I guess that RPs could already implement a feature like this but from a customer viewpoint, with my current knowledge, I wouldn't want to use FIDO2 because of the possibility that some of my (backup) authenticators can't be registered with a standard compliant service, because another authenticator that can't be connected is already registered. Therefore a solution in the specification is needed so that a customer can be sure that they could register all their authenticators for every compliant service.
Having multiple authenticators with different key sets seems like a real usability problem, but phishable OTPs or similar are a security problem. Do users just have to accept that maybe the only solution is to have multiple dongles for specific devices missing an interface?
FIDO2 wants to be comfortably usable and secure. How?
The text was updated successfully, but these errors were encountered: