undefined | Better HN

0 pointsamluto3y ago0 comments

The spare in safe storage has limited value: you have to take it out of the safe to enroll it. This is technically easy to solve (with public key cryptography), but I don’t think FIDO/CTAP/WebAuthn has any ability to do this.

0 comments

chmod6003y ago

Not sure I follow. Don't you just need to save the public key somewhere, and use that to enroll? Why would you need access to the yubikey itself to enroll?

amlutoOP3y ago

I’m only deeply familiar with the U2F (legacy) protocol, and such devices don’t expose a key pair usable for this purpose. When you enroll, you need to communicate with the token.

But more generally, this is a protocol issue. You can’t enroll your Yubikey with your browser and then, later, have your browser enroll that key with a WebAuthn-using site. You have to put the key in your USB port at the time you enroll with a website. And you can’t do this if it’s in a safe.

j / k navigate · click thread line to collapse

0 pointsamluto3y ago0 comments

0 comments

chmod6003y ago

Not sure I follow. Don't you just need to save the public key somewhere, and use that to enroll? Why would you need access to the yubikey itself to enroll?

amlutoOP3y ago

I’m only deeply familiar with the U2F (legacy) protocol, and such devices don’t expose a key pair usable for this purpose. When you enroll, you need to communicate with the token.

j / k navigate · click thread line to collapse