[zaroth]

And how do you enroll the second device?

It would have to be something like;

1) Login on primary device

2) Generate a one-time code or link

3) Enter one-time code or click link on 2nd device

4) Click an “Enroll” button on the 2nd device which would generate a second enrollment saved in the account.

You would have to do this for each and every service so that seems like a total non-starter.

Alternatively, a way to share the private keys securely between the devices. But I’m not sure if there are site-specific salts as part of the WebAuthN signing process which would require additional state be sync’d between the devices in order to authenticate to a new service on both devices?

[nickray]

There's an ascending signature counter that's intended to prevent cloned devices (replay attacks are prevented seperately with server generated challenge). One way around it is clone (backup key) having very high initial signature counter set, so first use invalidates original (on loss). But yeah it's a UX problem that hopefully will find a better/non-hacky solution than "register multiple keys for each site".

[xur17]

> But yeah it's a UX problem that hopefully will find a better/non-hacky solution than "register multiple keys for each site".

This seems like a huge blocker for adoption. I currently run into this issue with FIDO for 2fa - I store my backup key offsite, which means enrolling the second device requires me to make a special trip to retrieve the device. My current approach is to retrieve the backup token every few months and add it to all of the new services I have enrolled in, but I don't have a good system for remembering all of these services, so I inevitably forget one (despite only using the key on a few services)...

[tialaramex]

Write the services down. You don't need to keep the fact that you have FIDO tokens secret unless you're keeping them somewhere otherwise unsafe like under a rock in your garden. So a list titled "Services I've enabled for FIDO" with check columns for the tokens gets it done.

[xur17]

That's my current approach, but I'm not as disciplined about writing them down as I should be.

[tialaramex]

Ah, I see you're thinking about platform devices where the web browser is running on the device being enrolled.

Yes, you'd have to use some other way to authenticate as yourself on a second or subsequent platform device. If you have a separate FIDO token (like a Yubikey or any of their cheaper Security Key products or dozens of others) that would be the obvious first choice to enroll.