Clone a Fido2 stick

throit · November 26, 2019, 2:03pm

Is it possible to clone a Fido2 stick as a backup stick? Or do I have to create a backup stick explicitly (second key).

szszszsz · November 26, 2019, 2:07pm

Hi!

By FIDO2 specification it should not be possible to clone the device, and to use two different devices with the same key. By principle the key should be generated per-device, and on-device. Some vendors offer such solutions, but we are not planning to add it for Nitrokey FIDO2, and have not added to Nitrokey FIDO U2F in the past as well.

Specification suggests to use multiple devices for the backup purposes.

szszszsz · November 26, 2019, 4:09pm

Here is the relevant part of the spec for the FIDO U2F:

https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html#counters-as-a-signal-for-detecting-cloned-u2f-devices

Herve5 · November 26, 2019, 7:06pm

But then, are we sure all potential sites will accept two keys?
Because I definitely agree with throit, I’ll just NOT rely on a single hardware device -not that I don’t trust NK, on the contrary : simply, some day I’ll lose the FIDO NK, for sure. And then I want to be equally sure I’ll be able to immediately get the backup one. Like the keys from your home, from your car.
As I am not very educated on ‘validated sites’, can someone point me to a place where sites supporting this for sure would be listed?
Thank you!!
Hervé
P. S. and this means that, like throit, I’d buy two keys at a time

nitroalex · November 28, 2019, 10:31am

On https://www.dongleauth.com/ we try to also keep track of the support of multiple dongle devices.

szszszsz · November 28, 2019, 11:58am

Indeed that was a concern during the early adoption of the FIDO U2F, where the server side implementations were not considering multiple devices for use (improperly to the FIDO U2F specification). If there are still sites where only one device is accepted, it should be reported to proper service’s support, so by users’ pressure the implementation would be changed.
I remember there was a such case with Twitter, I do not know though how it ended.

The downside of this approach is a need to register both keys for each service, but that should not take much longer, than with a single key. The good thing is, that the backup key could be reused between the users. This works without friction for FIDO U2F, but for FIDO2 backup that means the PIN has to be shared between its users unfortunately.

Herve5 · November 28, 2019, 7:47pm

I know this site; checking it for our question here is terrible.
For instance, out of 40 email service providers, four only get the logo indicating they’d accept two Fido2 keys… (and incidentally, mine isn’t listed)

nitroalex · December 5, 2019, 9:09am

It’s just the best we have. It is a community project as nobody can just check all sites. I am not aware of another/more complete listing.