rust-u2f icon indicating copy to clipboard operation
rust-u2f copied to clipboard

Published 20 hours ago verified publisher icon danstiner

Copy keys to another device

Open usrfam opened this issue 2 years ago • 7 comments

Hello, friend! Please tell me where to find the private keys and how to transfer them to another computer?

usrfam avatar May 12 '22 13:05 usrfam

Hello, please see #68. If that answers your question, I'd be open to a PR adding a note to the README about keychain transferring.

Edit: I will note, this is something that can be done for a one time migration to a new computer, it will not work well to create two computers that use the same private keys. You should instead register both computers separately so each gets their own private key. Or buy a hardware key can can be used in either computer.

danstiner avatar May 12 '22 16:05 danstiner

I will note, this is something that can be done for a one time migration to a new computer, it will not work well to create two computers that use the same private keys

Can you elaborate on this? I thought the secrets stored in the GNOME keychain were stateless. Of course, ideally you would use two separate keys, but I'm curious.

sigaloid avatar May 29 '22 01:05 sigaloid

Sure, basically U2F requires a usage counter that is sent and incremented each time you authenticate. I store and update that counter in the keychain for each entry, so there is mutable state. Maybe that's an abuse of the GNOME keychain hehe, if it is I'd love to know.

See https://developers.yubico.com/U2F/Libraries/Advanced_topics.html, "Device counters"

That's a big part of why I haven't documented cloning better. It will "just work" if you move your whole HOME dir or even just the keychain data to a new computer, but cloning will not keep the counters in sync. I'm not sure what sites would do when they see the counter step back but hopefully they would invalidate the authenticator entirely.

And yeah exactly, the ideal recommendation for now is just to register the two computers separately as two different authenticators. Unless there is some easy solution for syncing keychain entries

danstiner avatar Jun 02 '22 22:06 danstiner

Thank you for the explanation!

sigaloid avatar Jun 06 '22 16:06 sigaloid

To answer these recurring question in a FAQ-style way, maybe it helps painting things like this:

  • 'You can transfer your keys, but that is really moving them -- they need to be deleted, or otherwise services will flag your device as compromised.'
  • 'While nothing can keep you from creating a backup of your device' (well, save #85), 'do not expect a recovered backup to work. Instead, register your backup device as a dedicated token with your service, or deposit its recovery keys at your backup site.'

(This is all of course conditional on me understanding the underlying mechanisms right, but they appear to be common in COSE based environments)

chrysn avatar Jul 16 '22 16:07 chrysn

I think only related to FIDO2 (#50), but for context: Recently the FIDO Alliance has explicitly introduced multi device credentials (https://fidoalliance.org/multi-device-fido-credentials/).

zroug avatar Jul 16 '22 18:07 zroug