Yubikey, FIDO2 and Backups

Categories: Security

As I wrote in my recent look at the Yubikey, it seemed to me that the rather primitive approach to backups taken by the Yubikey so far was just not going to be sufficient for the FIDO2/WebAuthn world, where the number of distinct credentials is going to be far larger.

Now that the Yubikey5 is out, with support for FIDO2/WebAuthn, I checked their documentation again - but couldn’t find any updated recommendations. As there is no apparent customer forum, I filed a support ticket asking about this. Unfortunately, the response was disappointing.

Here’s my request:

I would like more information on the options for “backing up” credentials for FIDO2 and U2F from a Yubikey5. All information/recommendations that I can find online suggest “a second key”; this approach works moderately well when the key holds few credentials, but is simply unuseable when using FIDO2 for per-website authentication, where dozens of credentials may be created. Registering twice for each site, and permanently having the “backup” device available in order to do so is not a reasonable solution. Do you have a better solution documented anywhere?

One option I would suggest is to support exporting credentials from the Yubikey - encrypted by an OpenPGP public key registered on the Yubikey device. This would allow safe backups to be made without exposing internal credentials. Does such a feature exist, or is such a feature planned?

And sadly, here is the response:

Thanks for reaching out.

You can’t export FIDO credentials because of security reasons. Such does not exist, or is planned. That’s what makes FIDO so secure, nobody can export FIDO credentials even if they take your Yubikey from you or you loose it. The only thing you can do on the Yubikey 5 is to reset the FIDO credentials. What you can do is to add a backup key to each account in case you loose the first Yubikey.

(name removed) Support Engineer | Yubico

As I (hopefully) clearly explained in the request, I just don’t see “use a second key” as a practical solution.

It works if you just sign up to accounts on 2 different services, and then never open any other accounts - ie if all you ever need is Facebook and Google, it might be sufficient. You sign up, then dig out your backup device from its secure storage (eg at a friends house, or from the safe at your bank) and register it with these other accounts too, then put the backup device safely away again.

But one of the great features of FIDO2 is that there is no need for using “log in with Facebook/Google/etc”; you can easily create a completely new and independent credential for each site you sign up to. And if you are using this to create new credentials on a regular basis, then you’ll need to keep a log of which new accounts you have created since the last “backup preparation session” then every few weeks retrieve your backup device from its safe location and revisit all those sites to add the backup device to them. Sounds like a real pain in the *** to me. Having your backup device available at all times is just stupid for obvious reasons; ideally the primary and backup devices should never ever be in the same location.

And if you do lose the primary, and have to resort to using the backup - how do you create a new backup? You would need to somehow determine which sites you have registered with, and revisit each of them one by one to register a new key.

I thought my proposal was a good one - load a public key into the Yubikey, then have a way for the Yubikey to export its internal FIDO2 credentials encrypted by that key. You can make such a backup at any time (eg after creating a new login), and put the resulting file on the internet if you wish - it is encrypted and is perfectly unreadable without the private part of that key. That private key should of course be stored somewhere safe - like on the backup Yubikey. Or just on a USB stick stored somewhere secure. Of course it should not be possible to overwrite that public key with which credentials are exported (or at least, credentials should only be exported via the public key active when they were created).

I guess time will tell whether Yubico’s FIDO2/WebAuthn feature will be a success without reasonable backup. However for me, I’ll wait for the next Google Titan or Nitrokey and see if they have a better solution.

Or maybe there’s a good solution I haven’t thought of? If so, let me know!