How to identify the FIDO2 devices consistently #622
-
Hi, At Termius, we implemented FIDO2 support using libfido2 for SSH connections and faced a UX problem. On the screenshot, I have Yubikey 5Ci, Yubikey 5 NFC, SoloKey, and OnlyKey connected. I cannot tell which FIDO2 device is Yubikey 5Ci or Yubikey 5 NFC both are We've looked at Yubkey Manager and found that each Yubikey has a serial number. So we could use it but want to use a vendor-agnostic API, e.g., implemented by libfido2. My questions so far are:
Cheers, |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 7 replies
-
https://w3c.github.io/webauthn/#sctn-privacy-attacks |
Beta Was this translation helpful? Give feedback.
https://w3c.github.io/webauthn/#sctn-privacy-attacks
IMHO, I don't think use
serial numbers
is a good approach if you are targeting FIDO2 devices.And I will suggest to use AAGUID of getInfo's response for different models by using FIDO's MDS3 services or maintain a key-value map of them likes
https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs
https://github.com/opotonniee/fido-mds-explorer (just a quick link website, not formal website of FIDO MDS3)