undefined | Better HN

0 pointstialaramex5y ago0 comments

> Some sites will allow you to simultaneously enroll two devices, so you can keep one as a backup

For WebAuthn (the actual standard for how to do this which is what you should be rolling out if you have a greenfield authentication environment that doesn't already do U2F today) the specification explicitly says:

> Relying Parties SHOULD allow and encourage users to register multiple credentials to the same account. Relying Parties SHOULD make use of the excludeCredentials and user.id options to ensure that these different credentials are bound to different authenticators.

https://w3c.github.io/webauthn/#sctn-credential-loss-key-mob...

I'm aware of (and along with many of its other users annoyed that) AWS only permits a single authenticator. If there are other popular sites that do this, this is no worse a place than any other to say so.

FWIW I have two (or more) FIDO authenticators with Google, GitHub, GitLab, Facebook, Dropbox, Login.gov and Digidentity (the Gov.UK verify provider)

0 comments

Corrado5y ago

> I'm aware of (and along with many of its other users annoyed that) AWS only permits a single authenticator. If there are other popular sites that do this, this is no worse a place than any other to say so.

Just to clarify, AWS only allows a single authenticator for their IAM users. If you are using AWS SSO then you can have multiple authenticators. And yes, I am very annoyed and frustrating to think that IAM is forced into a lower security profile that it needs to be.

godelski5y ago

This has been a thing preventing me from getting one. A key that's supposed to be on you (or locked in a vault) is prone to getting destroyed or damaged.

So since my threat model isn't high and this would be more a nerd thing, it doesn't seem worth it. 2FA is good enough I guess

lucideer5y ago

Fwiw, I have 3 of these and I have yet to encounter a service that doesn't support all three, so it hasn't been a issue.

People have mentioned AWS IAMS only supports one at a time, but that's definitely "a nerd thing".

The only "normal" user-facing service I've tried with some unnecessary restrictions is actually Twitch (also an Amazon property), so it sounds like Amazon are just specifically bad at this, rather than most companies having bad implementations.

But in general, it's been fine for the vast majority of services.

chrisdhal5y ago

I've had a Yubikey for about 3 years that is on my car keys keychain which goes with me everywhere. It's been all over the US and into Costa Rica all in my pocket or haphazardly thrown into my backpack (with a bunch of other random things).

There is zero evidence of any wear or anything. They are meant to be carried around, you don't need to baby them. I'm more worried about it being lost than damaged.

ozim5y ago

My friend was like "why would I pay for this when Android phone can act as one as well".

I am more concerned with losing my phone or that my phone will die that something happening to my ybk.

kelnos5y ago

That's good to hear! I was under the impression that it was much more common for sites to not support a second device. Glad to know most do.

brewdad5y ago

In my experience every site I set up a physical device with offered either multiple device support or a secondary method like TOTP as a backup. Not as secure, but much more user friendly, recognizing that we are all only human.

j / k navigate · click thread line to collapse