How do I revoke a FIDO / WebAuthN token from every service?

After my blog post about recovering my accounts after a disaster, I followed the most repeated advice:

  1. Get two YubiKeys
  2. Associate them both with your accounts
  3. Keep one off-site in a safe location

OK, done! My wife and I spend a very boring evening going through every single account we have which supports FIDO tokens with WebAuthN - about a dozen in total. We manually paired two keys each. We put our main key on our keyrings, then drove out to the woods and buried our spares in a a waterproof box in a top secret location1.

But what if I lost my keys?

Perhaps I could have been pickpocketed or just been careless and dropped them when getting my wallet out. Either way, I can buy new eurocylinders for my home's doors, replace the padlock on my shed, and grovel to work for a new locker key.

And then, of course, I would have to dig up my backup key and start the painful process of revoking the old one. But here's the snag...

I have no idea which services I've associated my WebAuthN token with!

Firstly, there is staggeringly little chance that the person who found / took my keys would also know my username and password for various services. But we use MFA because we're paranoid, right? So it makes sense to invalidate the lost token to prevent even the slimmest chance of it being used against me.

Secondly, obviously I know some of the major services that I associated the token with - Facebook, Google, and the Russian crypto exchange where I keep all my money2. But what about the rest? Should I have made a list of each service I used? Should I have recorded it in my password manager?

Apparently a YubiKey can only hold 25 FIDO2 tokens, but unlimited FIDO U2F tokens. I'll be honest, I've no idea how many I have. And I don't think there's any way to query my key to see which services it was registered to.

It is probably a good thing that there's no big button which would universally revoke a key. That would be an extremely tempting target for abuse.

But I wish there were an easy way for a user to see where they had used their token. As it stands today, that's impossible.

  1. 51.8486123,-0.5543001 
  2. нет 

Share this post on…

10 thoughts on “How do I revoke a FIDO / WebAuthN token from every service?”

  1. said on

    @Edent if it helps, Yubikey 5 with firmware version 5.2.3 or greater* supports listing + removing FIDO2 resident credentials through the ykman CLI with your PIN-* minimum version noted in
    FIDO Commands — YubiKey Manager (ykman) CLI and GUI Guide documentation

    Reply | Reply to original comment on
  2. Šime Vidas says:

    But I wish there were an easy way for a user to see where they had used their token.

    This information should probably be stored in the password manager.


Trackbacks and Pingbacks

  1. Gazde: Vlad Bănică și Manuel Cheța
    Subiecte principale: BMW și radarul, Intel și super-procesoare, crypto – cu bune și rele
    Răspunde la sondajul Tehnocultura aici.

    – Manu: passwordless login in Microsoft via Windows Hello – PIN / more infopasskeys directoryrevocarea tokenilor / VLC podcasts 3x speed / căști wireless Google Pixel Buds A series / FUEL PC Game peste 1o milioane / Wednesday, Nevermore filmat în România
    – Vlad: Târgul de mașini retro și simulatoare auto de la Nuremberg
    – BMW: Nu doar mașini – o incursiune în tehnologiile viitorului
    – MKBHD: păreri (nepopulare) cu care sunt de acord.
    – TechCrunch: Stripe deschide servicii fiat-to-crypto
    – EuroNews: metaverse nu prinde la lume
    – Toms Hardware: Intel prevede crearea a unor super-procesoare cu o mie de miliarde de tranzistori până in 2030
    Știri pe scurt:
    – Testing Games: RTX 3060 8GB vs RTX 3060 12GB / 15% diferență
    – PC Gamer: specificații pentru Callisto Protocol
    – SloMo Guys: lumina filmată la 10 mii de miliarde de cadre pe secundă
    – Bleeping Computer: CryWiper atacă instituții rusești
    Unde ne găsești:
    Playlist Vlad cu melodii pe viniluri
    Manuel Cheța pe manuelcheț
    Share this:TwitterFacebook

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">