You CAN and SHOULD BE ABLE TO register the same key for different users. The specification forbids registering the same key for the same user.

There is a different mode of use of the spec, resident keys, in which case it is indeed one hardware key per user. However, the key is stored on the hardware (limited number of slots, typically < 10) and it provides user identification ie you don’t need a username. I chose not to enable that behavior because it’s mutually exclusive with the one currently used AND I can’t expect people to have a key with hardware storage and be willing to sacrifice a hardware slot for my site when key management is not possible on most Authenticator hardware (you’d have to wipe it clean).

That’s as short as I can get the answer down to :[

Cool - well, um, I can register the same key multiple times for the same user at the moment ;/) :-)

Sent from my iPhone

On 19 Jun 2020, at 05:49, Nicholas K. Dionysopoulos notifications@github.com wrote:


You CAN and SHOULD BE ABLE TO register the same key for different users. The specification forbids registering the same key for the same user.

There is a different mode of use of the spec, resident keys, in which case it is indeed one hardware key per user. However, the key is stored on the hardware (limited number of slots, typically < 10) and it provides user identification ie you don’t need a username. I chose not to enable that behavior because it’s mutually exclusive with the one currently used AND I can’t expect people to have a key with hardware storage and be willing to sacrifice a hardware slot for my site when key management is not possible on most Authenticator hardware (you’d have to wipe it clean).

That’s as short as I can get the answer down to :[

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

What kind of key is it? Hardware or software? It’s up to the browser to determine if a key has been registered before by presenting existing keys to the Authenticator. The Authenticator tells the browser if it recognizes any of them. That’s the part of the implementation that’s outside Joomla.

Tested with several different hardware yubikey usbs.

I can register them all, multiple times against the same user in admin

Tested in chrome and safari and both allowed the same key to be added multiple times to the same user

Sent from my iPhone

On 19 Jun 2020, at 07:32, Nicholas K. Dionysopoulos notifications@github.com wrote:


What kind of key is it? Hardware or software? It’s up to the browser to determine if a key has been registered before by presenting existing keys to the Authenticator. The Authenticator tells the browser if it recognizes any of them. That’s the part of the implementation that’s outside Joomla.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

As far as I can tell this is a browser issue. We do send the correct excludeCredentials to the browser but it seems the browser ignores it. Sorry, I don't have a solution to this one.

So in summary to close:

• The specification forbids registering the same key for the same user.
• Joomla sends the correct excludeCredentials to the browser
• Bugs in google chrome and safari (tested on Mac) ignore excludeCredentials and allow the same key to be registered repeatedly for the same user

Therefore nothing we (:cough: you) can do about browsers having bugs in a (relatively) new specification implementation

The compatibility matrix at https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions/excludeCredentials says google chrome should work - and safari support is unknown.

?‍♂️

Safari 13 does support WebAuthn and Safari 12 had it hidden behind a developer flag. Chrome does support it.

The behaviour with multiple registrations is consistent across all browsers I've tested including the aforementioned, Firefox, Edge (Chrome-based) and Opera. The similar U2F spec did prevent double registration. Based on observation I guess browsers are still working on WebAuthn OR the library we use – the only one for PHP – is doing something wrong. I can't really know which one is which so I'll just go with "not really anything I can do" and call it a day :)

so I'll just go with "not really anything I can do" and call it a day :)

Im happy with that.

I can confirm that if I register the same key for the same person 5 times and try to use it to login, it allows me to authenticate and login - so that's ok. Adding the key multiple times doesnt "seem" to break anything at all, even if it is against the specification and not expected.

Therefore even if a user added a key multiple times "by mistake" they would not have a bad experience.

All done here. Thanks Nik.

This appears fixed by #29707 ... strange.

actually I take that back - its still happening :)

OK, so after some further reading it looks like that this can only be prevented for resident keys i.e. keys which are fully stored in the Authenticator's non-volatile memory. I deliberately chose to NOT implement this option because it's mutually exclusive with allowing non-resident keys to be generated. Resident keys are even safer and also provide the username (well, the HMAC-SHA-256 of the user ID with the site's secret) BUT cannot be managed on most FIDO2 authenticators. Since there's very limited storage -- about ten keys -- on most Authenticators AND this would rule out backwards compatibility with FIDO 1 (U2F) Authenticators it sounds like a bad idea to implement. More so when clearing the resident keys requires resetting the FIDO2 application on the Authenticator which immediately dissociates it from any site where you used it for U2F (FIDO) or WebAuthn (FIDO2) passwordless authentication or two step verification.

TL;DR: Preventing double registration comes with major disadvantages which only makes it reasonable to use in very high security applications (think enterprise or above). For the rest of us, implementing this feature doesn't add anything to our security so we can safely ignore the fact that browsers will let you register the same Authenticator two or more times. Enterprise users can easily fork and adapt the core code to support resident keys. I had done that a few months ago, it was straightforward but definitely outside the scope of a mass distributed CMS.

If you are happy - i'm happy.