Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:34 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sun Aug 13, 2017 11:19 am 
Offline

Joined: Sun Aug 13, 2017 11:04 am
Posts: 2
I am integrating U2F into our application and trying to standardize on YubiKeys for U2F. Initial tests results look great. Some of our users are not tech savvy. There are use cases where some advanced users can have more than 1 Yubi key. Given this requirement, is it possible to prevent duplicate registration from the same key?

I have two Yubi keys for testing and I see that both of them have same serial number and subject on attestation cert. Is it possible to prevent same YubiKey registered twice for same app id? Reading on the Internet, I get the impression that it is not possible to detect duplicate keys as it provides ability to track users to a key.

Here are my questions
Is is true to that for a given YubiKey model, they have same attestation cert?
Is there a way to detect duplicate registration from the same key?

Thanks in advance!
Anil


Last edited by lsanil on Wed Aug 16, 2017 7:42 am, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Aug 14, 2017 9:21 am 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
lsanil wrote:
Is is true to that for a given YubiKey model, they have same attestation cert?

No, that is incorrect. The attestation certificate is unique per batch, not per model. In practice this means that 2 devices of the same model may have the same certificate, but not necessarily so. It's also possible that a batch spans multiple firmware versions, so it's possible for two devices with different versions to have the same certificate.

lsanil wrote:
Is there a way to detect duplicate registration from the same key?

Yes, this is part of the U2F specification. Assuming you're using the latest high level JS api, the call to u2f.register() takes a list of "RegisteredKey" objects, where each entry represents an already registered U2F device. The purpose if this is exactly to avoid the problem you've stated of registering the same device multiple times. Each "RegisteredKey" contains an existing keyHandle used to check if the device is already registered. See the JS API specification for more exact details: https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 16, 2017 7:42 am 
Offline

Joined: Sun Aug 13, 2017 11:04 am
Posts: 2
I did not understand the reason for registered key array in u2f.register api. Makes total sense now.
Thanks for the pointers! Great info.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group