After my blog post about recovering my accounts after a disaster, I followed the most repeated advice:
- Get two YubiKeys
- Associate them both with your accounts
- Keep one off-site in a safe location
OK, done! My wife and I spend a very boring evening going through every single account we have which supports FIDO tokens with WebAuthN - about a dozen in total. We manually paired two keys each. We put our main key on our keyrings, then drove out to the woods and buried our spares in a a waterproof box in a top secret location0.
But what if I lost my keys?
Perhaps I could have been pickpocketed or just been careless and dropped them when getting my wallet out. Either way, I can buy new eurocylinders for my home's doors, replace the padlock on my shed, and grovel to work for a new locker key.
And then, of course, I would have to dig up my backup key and start the painful process of revoking the old one. But here's the snag...
I have no idea which services I've associated my WebAuthN token with!
Firstly, there is staggeringly little chance that the person who found / took my keys would also know my username and password for various services. But we use MFA because we're paranoid, right? So it makes sense to invalidate the lost token to prevent even the slimmest chance of it being used against me.
Secondly, obviously I know some of the major services that I associated the token with - Facebook, Google, and the Russian crypto exchange where I keep all my money1. But what about the rest? Should I have made a list of each service I used? Should I have recorded it in my password manager?
Apparently a YubiKey can only hold 25 FIDO2 tokens, but unlimited FIDO U2F tokens. I'll be honest, I've no idea how many I have. And I don't think there's any way to query my key to see which services it was registered to.
It is probably a good thing that there's no big button which would universally revoke a key. That would be an extremely tempting target for abuse.
But I wish there were an easy way for a user to see where they had used their token. As it stands today, that's impossible.
11 thoughts on “How do I revoke a FIDO / WebAuthN token from every service?”
@Edent what a great secret location! You could make a day out of recovering your online accounts, going to see the giraffes might break up the tedium!
| Reply to original comment on mas.to
I expected you to hide it around https://maps.app.goo.gl/9SsV7gSPpJQrLitX8
@Edent Sounds like someone need to write an app "whereismyfidoat". Where you can quickly list where a key has been registered with. Probably full of security and social engineering hacks...
| Reply to original comment on snabelen.no
@Edent At least you get to stroke the big kitties when you go to recover your spare keys
| Reply to original comment on bluetoot.hardill.me.uk
@Edent if it helps, Yubikey 5 with firmware version 5.2.3 or greater* supports listing + removing FIDO2 resident credentials through the ykman CLI with your PIN- https://docs.yubico.com/software/yubikey/tools/ykman/FIDO_Commands.html#ykman-fido-credentials-options-command-args* minimum version noted in https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.htmlFIDO Commands — YubiKey Manager (ykman) CLI and GUI Guide documentation
| Reply to original comment on queer.party
Šime Vidas
This information should probably be stored in the password manager.
@Edent I just have a list. As you said, it's only like 12. I just places that don't yet support it so I know who to bug for support.
| Reply to original comment on w3c.social
Really disappointed that the coordinates don’t lead me to maps.app.goo.gl/P46YUt6s5mXxwC…. Missed chance.
| Reply to original comment on twitter.com
@Edent I just maintain a list - it is helpful while setting up a new Yubikey as well.
| Reply to original comment on tatooine.club
You can't, but I don't think it's a big deal: sites that let you use your security key without it having a PIN almost always ask you for a password too (the key is there only as a second factor)
So an attacker would need both your key and password. For most people this is outside the threat model.
| Reply to original comment on bsky.app
More comments on Mastodon.
Trackbacks and Pingbacks
Gazde: Vlad Bănică și Manuel ChețaSubiecte principale: BMW și radarul, Intel și super-procesoare, crypto – cu bune și releRăspunde la sondajul Tehnocultura aici.––––––Intro– Manu: passwordless login in Microsoft via Windows Hello – PIN / more info – passkeys directory – revocarea tokenilor / VLC podcasts 3x speed / căști wireless Google Pixel Buds A series / FUEL PC Game peste 1o milioane / Wednesday, Nevermore filmat în România– Vlad: Târgul de mașini retro și simulatoare auto de la NurembergSubiecte– BMW: Nu doar mașini – o incursiune în tehnologiile viitorului– MKBHD: păreri (nepopulare) cu care sunt de acord.– TechCrunch: Stripe deschide servicii fiat-to-crypto– EuroNews: metaverse nu prinde la lume– Toms Hardware: Intel prevede crearea a unor super-procesoare cu o mie de miliarde de tranzistori până in 2030–-Știri pe scurt:– Testing Games: RTX 3060 8GB vs RTX 3060 12GB / 15% diferență– PC Gamer: specificații pentru Callisto Protocol– SloMo Guys: lumina filmată la 10 mii de miliarde de cadre pe secundă– Bleeping Computer: CryWiper atacă instituții ruseștiExtrasUnde ne găsești:– Playlist Vlad cu melodii pe viniluri– Manuel Cheța pe manuelcheța.comShare this:TwitterFacebook
What links here from around this blog?