undefined | Better HN

0 pointsstouset5y ago0 comments

> Some (like Yubico) let you purchase a "cloned" set of devices

Wait, they do? How?

I would love to do this, but I can't find anything relevant on their website.

0 comments

After going through their "what do I need?" quiz, it seemed to indicate that was an option. It's possible that I misunderstood, and they just give you two independent keys.

tialaramex5y ago

I think that quiz would like you to buy two of their products, which is a thing you might want to do (I'd suggest maybe one of theirs and one from a rival, but they're not going to suggest that) but it is not implying those keys are identical inside, they are as you say "independent keys".

So you'd register both keys. Or if you own more, you'd register at least two of them and at least one stays somewhere safe (but like, not in a bank safety deposit box, maybe the sort of place you keep a passport). This way, when inevitably your toddler throws mummy's key ring into a fast moving river, it's just very inconvenient and doesn't ruin your whole year. After you call somebody to bring a spare car key, and ask the toddler to think about what they did, go revoke all those now useless keys and order a new FIDO authenticator.

Edited to add: Even if they started identical you can reset any Yubikey, making the keys inside it random - and very paranoid people might want to before using it, since you don't know what happened to the keys inside it before you got it.

dandanua5y ago

The existence of a cloned physical key is not possible due to FIDO U2F protocol. Every sign operation increases a counter on the device. It's supposed that services will keep track of this counter and don't accept signatures with an incorrect counter (less than known).

_trampeltier5y ago

The same for me. I bought 2 keys and the idea was to have one as a backup key. But I did not find a way to do it. Anyway, even after read about how it works on some websites and watched some videos, the whole things is still a bit of a black box for me. I have no idea how a non-techie at moment a such device can use safe.

sammorrowdrums5y ago

I just bought two keys and most services let me enroll two devices or can use Yubico Authenticator, so I scan the OTP barcode twice, and tap each key one time on phone.

Then I'm going to sit with my wife and do that for some of her accounts and she will hold my backup.

edit for clarification, you really do need to have two devices with you to safely enough register 2fa, but obiously it is not safe to keep them both with you after initial setup, in case you lose them both. For the most part you just switch it on for everything with dual keys somehow (even if one registered key plus one Yubi Authenticator OTP).

For services that only actually enable one key, if they have emergency backup codes keep them in password manager, physical safe or a somewhere in your home depending on your threat level and the risks of the particular service being compromised.

mkj5y ago

I assume the solokey generates its master key on-device. Seems like it wouldn't be too hard for it to perform Diffie Hellman key exchange with another device to get a shared secret (at first setup) then they could be a cloned pair.

g_p5y ago

The issue with this would be counter synchronisation, as services shouldn't accept cloned responses when the counter ceases to be monotonic for what should be one single device.

j / k navigate · click thread line to collapse