[beefee]

The services I interact with that support WebAuthn usually only allow you to register one key. Backup and recovery is a confusing puzzle for most of these services.

[Hamuko]

Tell the services you interact with that they're basically going against the spec.

"Relying Parties SHOULD allow and encourage users to register multiple credentials to the same account. Relying Parties SHOULD make use of the excludeCredentials and user.id options to ensure that these different credentials are bound to different authenticators."

[2OEH8eoCRo0]

Is it a SHOULD vs SHALL issue? Link to full spec?

[Hamuko]

It's SHOULD as per RFC2119, so basically you need to have a good reason with an understanding of the implications to ignore it.

One of the implications here being that you have zero available authenticators if your main authenticator breaks.

https://www.w3.org/TR/webauthn-2/

[rootusrootus]

I haven't run into any like that, but I'm with you -- if I could only store one webauthn key, I wouldn't use it at all. Too risky.

[dividedbyzero]

I believe AWS root accounts don't support more than one key to be added.

[plexicle]

They don't. And it's also not supported in the mobile app, which is a huge pain.

[droopyEyelids]

I don't think any AWS account allows more than one!

[aaaaaaaaata]

This has been talked about in HN comments almost daily for like a week — does anyone from AWS/Amazon read this forum, or are they too busy performing blood sacrifices trying to recruit graduates?

[blibble]

more like 2 years

they do know about it (I had a friend who was a PM there), but it's low priority...

[aborsy]

Right. But you could create new users, not root but with admin rights, and enroll new keys.