How do I revoke a FIDO / WebAuthN token from every service?

After my blog post about recovering my accounts after a disaster, I followed the most repeated advice:

  1. Get two YubiKeys
  2. Associate them both with your accounts
  3. Keep one off-site in a safe location

OK, done! My wife and I spend a very boring evening going through every single account we have which supports FIDO tokens with WebAuthN - about a dozen in total. We manually paired two keys each. We put our main key on our keyrings, then drove out to the woods and buried our spares in a a waterproof box in a top secret location1.

But what if I lost my keys?

Perhaps I could have been pickpocketed or just been careless and dropped them when getting my wallet out. Either way, I can buy new eurocylinders for my home's doors, replace the padlock on my shed, and grovel to work for a new locker key.

And then, of course, I would have to dig up my backup key and start the painful process of revoking the old one. But here's the snag...

I have no idea which services I've associated my WebAuthN token with!

Firstly, there is staggeringly little chance that the person who found / took my keys would also know my username and password for various services. But we use MFA because we're paranoid, right? So it makes sense to invalidate the lost token to prevent even the slimmest chance of it being used against me.

Secondly, obviously I know some of the major services that I associated the token with - Facebook, Google, and the Russian crypto exchange where I keep all my money2. But what about the rest? Should I have made a list of each service I used? Should I have recorded it in my password manager?

Apparently a YubiKey can only hold 25 FIDO2 tokens, but unlimited FIDO U2F tokens. I'll be honest, I've no idea how many I have. And I don't think there's any way to query my key to see which services it was registered to.

It is probably a good thing that there's no big button which would universally revoke a key. That would be an extremely tempting target for abuse.

But I wish there were an easy way for a user to see where they had used their token. As it stands today, that's impossible.

  1. 51.8486123,-0.5543001 
  2. нет 

10 thoughts on “How do I revoke a FIDO / WebAuthN token from every service?

  1. says:

    @Edent what a great secret location! You could make a day out of recovering your online accounts, going to see the giraffes might break up the tedium!

  2. @Edent if it helps, Yubikey 5 with firmware version 5.2.3 or greater* supports listing + removing FIDO2 resident credentials through the ykman CLI with your PIN-* minimum version noted in
    FIDO Commands — YubiKey Manager (ykman) CLI and GUI Guide documentation

  3. Šime Vidas says:

    But I wish there were an easy way for a user to see where they had used their token.

    This information should probably be stored in the password manager.

Leave a Reply

Your email address will not be published. Required fields are marked *