[tialaramex]

FIDO2 enables resident keys. With resident keys the web site can have a flow where you just go "It's me" (maybe you enter a PIN, or touch a fingerprint sensor, Apple just announced they're doing this with FaceID) and you're signed in. Without a resident key, there's a back and forth where you give a username, then maybe a password, and then your authenticator comes in to provide a second factor.

This is because the FIDO2 device actually has (finite) slots to remember e.g. credentials for funky-jokes.example so when you're at funky-jokes.example a WebAuthn API call can ask for those credentials and sign you in. No username, no password, you've presented all the credentials needed in one step. Whereas when keys are not resident the authenticator is relying on the web site to know (from your username) its ID, without being told the ID it can't do the authentication dance, so you will need to enter a username/ email address.

Resident keys are clearly a great idea in a phone (iPhone, Pixel, whatever) because it's not like gigabytes of flash storage will be exhausted storing credentials for the dozens or even thousands of sites you have credentials for.

It's less obviously a great idea for a Yubikey or cheap USB Security Key that maybe only has space for a dozen credentials. Maybe it makes sense to use it for that one web site you sign into every day, or to replace the main SSH key you use but if a Yubikey has 25 slots it doesn't make much sense for one to be "bush-jokes.example" which you last visited ten years ago...

[donmcronald]

That sounds worse to me. I don't like the idea of having my identity tied to a device. What if I lose it? My favorite setup right now is to keep my username / password in a password manager that I sync to multiple places to ensure it doesn't get lost. Then I use a YubiKey with FIDO / U2F on sites I consider important. I have a main and a spare YubiKey and both get added to my profile (except AWS who only support one key).

[tialaramex]

All the FIDO2 capable devices I'm aware of are intended to be used with some external factor. For a Yubico Security Key 2 that's a PIN (unlike your passwords the PIN isn't sent anywhere, it's verified by the device) and some other devices use a fingerprint. Platform authenticators are going to do all sorts of stuff, like Apple's FaceID.

So if you lose it the credentials are now essentially worthless (anybody who found it or stole it presumably doesn't have your PIN / fingerprints / face) and you should revoke them from sites where they were trusted.

Nothing prevents you from enrolling multiple FIDO2 resident key devices for a site, the site would store all the relevant credentials and you could use any of them to log in. I expect Apple's implementation notes for that demo last week tell implementers to allow multiple enrolment because some of Apple's best customers own an iPhone and an iPad and a MacBook Pro and expect to use all three.

But sure, you can use the second-factor-only FIDO behaviour on a FIDO2 key just fine, it's just that FIDO2 resident keys can offer a nicer user journey while still being secure.

[neuralzen]

The thing to be wary of here is knowing which platform should be used, on a given site. These devices are to establish strict lines of trust, but not all those who use them are technically proficient, so a MitM that downgrades the authenticator from "platform" to "cross-platform" (or roaming) can alter the registration process such that what should have had a biometric tie now just has a PIN (or no PIN depending). This attack depends on how the vendor is managing AAGUIDs and Attestment Certificates, but a lot simply don't.

[tialaramex]

This seems like a pretty complicated attack with relatively low value, but maybe I don't understand something important. So let me run it back by my understanding.

You're proposing a TLS MitM (maybe plausible in a corporate environment that has this configured anyway) which downgrades the authenticator enrolment to have less protections, and then passing the resulting credentials to the real backend which will assume it has two factors without checking?

And later you steal the device so you can now use it without an additional factor because it wasn't enrolled using multi-factor anyway.

This would work as an element of the over-complicated schemes in an Oceans movie, but it doesn't feel very plausible in the real world. The skill sets to "Steal someone's iPhone" and "Obtain fraudulent Web PKI certs" don't overlap very much and this attack doesn't scale so it would need to be targeted.

[donmcronald]

I didn't explain it really well. I wasn't too worried about it being stolen. I was worried about having a single device, so losing it means losing all the identity info. I guess it's no different than now where I enroll 2 keys everywhere.