Yubico Forum

I am integrating U2F into our application and trying to standardize on YubiKeys for U2F. Initial tests results look great. Some of our users are not tech savvy. There are use cases where some advanced users can have more than 1 Yubi key. Given this requirement, is it possible to prevent duplicate registration from the same key?

I have two Yubi keys for testing and I see that both of them have same serial number and subject on attestation cert. Is it possible to prevent same YubiKey registered twice for same app id? Reading on the Internet, I get the impression that it is not possible to detect duplicate keys as it provides ability to track users to a key.

Here are my questions
Is is true to that for a given YubiKey model, they have same attestation cert?
Is there a way to detect duplicate registration from the same key?

Thanks in advance!
Anil

No, that is incorrect. The attestation certificate is unique per batch, not per model. In practice this means that 2 devices of the same model may have the same certificate, but not necessarily so. It's also possible that a batch spans multiple firmware versions, so it's possible for two devices with different versions to have the same certificate.


Yes, this is part of the U2F specification. Assuming you're using the latest high level JS api, the call to u2f.register() takes a list of "RegisteredKey" objects, where each entry represents an already registered U2F device. The purpose if this is exactly to avoid the problem you've stated of registering the same device multiple times. Each "RegisteredKey" contains an existing keyHandle used to check if the device is already registered. See the JS API specification for more exact details: https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html

I did not understand the reason for registered key array in u2f.register api. Makes total sense now.
Thanks for the pointers! Great info.