How do I revoke a FIDO / WebAuthN token from every service?
After my blog post about recovering my accounts after a disaster, I followed the most repeated advice:
- Get two YubiKeys
- Associate them both with your accounts
- Keep one off-site in a safe location
OK, done! My wife and I spend a very boring evening going through every single account we have which supports FIDO tokens with WebAuthN - about a dozen in total. We manually paired two keys each. We put our main key on our keyrings, then drove out to the woods and buried our spares in a a waterproof box in a top secret location0.
But what if I lost my keys?
Perhaps I could have been pickpocketed or just been careless and dropped them when getting my wallet out. Either way, I can buy new eurocylinders for my home's doors, replace the padlock on my shed, and grovel to work for a new locker key.
And then, of course, I would have to dig up my backup key and start the painful process of revoking the old one. But here's the snag...
I have no idea which services I've associated my WebAuthN token with!
Firstly, there is staggeringly little chance that the person who found / took my keys would also know my username and password for various services. But we use MFA because we're paranoid, right? So it makes sense to invalidate the lost token to prevent even the slimmest chance of it being used against me.
Secondly, obviously I know some of the major services that I associated the token with - Facebook, Google, and the Russian crypto exchange where I keep all my money1. But what about the rest? Should I have made a list of each service I used? Should I have recorded it in my password manager?
Apparently a YubiKey can only hold 25 FIDO2 tokens, but unlimited FIDO U2F tokens. I'll be honest, I've no idea how many I have. And I don't think there's any way to query my key to see which services it was registered to.
It is probably a good thing that there's no big button which would universally revoke a key. That would be an extremely tempting target for abuse.
But I wish there were an easy way for a user to see where they had used their token. As it stands today, that's impossible.
naxxfish said on mas.to:
@Edent what a great secret location! You could make a day out of recovering your online accounts, going to see the giraffes might break up the tedium!
Richy B says:
I expected you to hide it around https://maps.app.goo.gl/9SsV7gSPpJQrLitX8
Ivar Abrahamsen 👨🔧 said on snabelen.no:
@Edent Sounds like someone need to write an app "whereismyfidoat". Where you can quickly list where a key has been registered with. Probably full of security and social engineering hacks...
Ben Hardill said on bluetoot.hardill.me.uk:
@Edent At least you get to stroke the big kitties when you go to recover your spare keys
Harley Watson said on queer.party:
@Edent if it helps, Yubikey 5 with firmware version 5.2.3 or greater* supports listing + removing FIDO2 resident credentials through the ykman CLI with your PIN- https://docs.yubico.com/software/yubikey/tools/ykman/FIDO_Commands.html#ykman-fido-credentials-options-command-args* minimum version noted in https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html FIDO Commands — YubiKey Manager (ykman) CLI and GUI Guide documentation
Šime Vidas says:
This information should probably be stored in the password manager.
Be Roberts said on w3c.social:
@Edent I just have a list. As you said, it's only like 12. I just places that don't yet support it so I know who to bug for support.
Thomas Steiner said on twitter.com:
Really disappointed that the coordinates don’t lead me to maps.app.goo.gl/P46YUt6s5mXxwC…. Missed chance.
nemo said on tatooine.club:
@Edent I just maintain a list - it is helpful while setting up a new Yubikey as well.
Nina "Erina" Satragno said on bsky.app:
You can't, but I don't think it's a big deal: sites that let you use your security key without it having a PIN almost always ask you for a password too (the key is there only as a second factor)
So an attacker would need both your key and password. For most people this is outside the threat model.
More comments on Mastodon.