Re: TOTP apps, and WebAuthn recommended devices?

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: TOTP apps, and WebAuthn recommended devices?
From: Taylor R Campbell <campbell+netbsd-users%mumble.net@localhost>
Date: Sun, 26 Mar 2023 06:45:30 +0000

> Date: Sat, 25 Mar 2023 08:36:36 -0400
> From: Greg Troxel <gdt%lexort.com@localhost>
> 
> Thanks very much for the detailed response.
> 
> One thing that's not 100% clear to me:
> 
>   One device (plus a second one as a backup!)
> 
> 
> A device can fail or be lost, so the backup concept is obvious, and
> perhaps should extend to a third.
> 
> Are the backup devices independent in that you
> 
>   enroll device A on a site
> 
>   enroll device B on the same site
> 
> and then either one will be accpeted by the site to login, and they
> otherwise don't have anything to do with each other?  I mean no transfer
> of keymat, or other linkage.
> 
> So therefore one could have a secondary backup in a place far away
> that's somewhat hard to get to, and when visiting it every few months,
> enroll that backup as an additional key in the sites that were added to
> the working device (carried with you) and the primary backup.

That is all correct.  Security key enrollments are independent.


P.S. There is also a proposal for a scheme that does allow devices to
     be linked in a way that preserves the privacy properties but
     doesn't require you to have the backup key itself to enroll it --
     only to log in with it -- but it's not there yet:
     https://www.yubico.com/blog/yubico-proposes-webauthn-protocol-extension-to-simplify-backup-security-keys/)

References:
- Re: TOTP apps, and WebAuthn recommended devices?
  - From: Greg Troxel

Prev by Date: Re: Invisible mouse pointer
Next by Date: Who to contact with a question about netbsd.org mail servers ?
Previous by Thread: Re: TOTP apps, and WebAuthn recommended devices?
Next by Thread: Re: TOTP apps, and WebAuthn recommended devices?
Indexes:

Home | Main Index | Thread Index | Old Index