I learned the other day that FIDO2 keys have a counter so that if an attacker does manage to clone the key, and both keys continue to be used, the counter for them will desync and the server can detect the clone.
Pretty cool, wonder how that plays out in practice.
Conversation
Like I'm pretty sure the recommendation is allow for two keys but AWS still doesn't, so I'm a bit doubtful that the average backend is detecting/ handing this, but I'm certainly curious to hear otherwise.
2
2
Replying to
Should allow for more than 2 keys since adding more keys is the best way to offer recovery.
My Google account has 3 security keys: YubiKey 5, Trezor Model T and Pixel 5 Titan M.
Can restore Trezor by fetching 2/3 Cryptosteel backups and setting the 2FA counter to Unix time.
2
1
Most sites don't even allow you to have security keys as the only 2FA mechanism. My Google account is opted into the Advanced Protection Program so it's the only option. It's quite important since it's my domain registrar and OVH recovery email.
1
Replying to
Yeah, we SSO through Google and enroll every employee to APP + we use Context Aware Access to tie sessions to Chromebooks (presumably via titan key).
1
Sadly, same story where it's the only site where we can say "key only" :\
1
Replying to
OVH allows me to use only the security key. I don't think any other service I use allows it.
AWS is weird. It has you login to your Amazon account and that has no security key support last time I checked. It makes me use app-based TOTP. AWS has security key support as 2nd layer.
1
1
So if I need to login to AWS from scratch, I have to use both app-based TOTP for Amazon login and then the security key which is extremely weird.
The way it works for Google with Advanced Protection Program is really nice now. Clean, simple UI with all the nonsense removed.