For that one should have 2 devices, both registered to same service, and the second would act as backup. FIDO specifically argues against cloning device secrets.
Edit: discussed in: Backup / Restore U2F secret?
For that one should have 2 devices, both registered to same service, and the second would act as backup. FIDO specifically argues against cloning device secrets.
Edit: discussed in: Backup / Restore U2F secret?
Nitrokey FIDO U2F or FIDO2 devices can’t be cloned. The reasons are:
We would prefer a better vendor-independent and officially specified solution to this challenge. We are following such developments but as of now there isn’t another “official” solution yet. Nevertheless we might change our mind in the future, if there doesn’t emerge a better “official” solution soon.
Ok, at least a possibility for a solution. I think to get rid of passwords would be great. Currently my only concern is, that the FIDO2 will not be supported by all devices I have: e.g. iPad and iPhone might be a trouble maker, while iMac, MacBook and all my FreeBSD Server / Pi will work fine
Yeah, ash on my head - I pull back my “clone” request. I thought more on something like the DKEK Shares like used with HSM. So you could make backups and restore on a different FIDO2 in case of a broken token.
The thing is, that every scheme restoring the same secret on another device is an attempt of cloning, which FIDO wants to detect on the server side (by checking the usage counter’s value difference), and this is a feature of the standard. One can of course ignore that, but cannot then call the product compliant with the specification’s design.
Ok, ignoring a spec is not always a good idea - extending it would be ok. So it might be either good to influence and try to change the spec for a generic backup purpose or just make it clear, that back needs to be done by a second type of device. I am good with that.