[beagle3]

Does this also work for the WebAuthn / U2F / TOTP use cases, or just the PGP/PIV/SSH ones?

[tialaramex]

No. There is no way to push a value for the symmetric key that probably makes the FIDO (thus U2F / WebAuthn) feature work. You can tell the Yubikey to pick a random new one, effectively wiping your key (and rendering any credentials previously minted with it now invalid) but you can't write one over USB and this was I believe intentional.

[beagle3]

Thanks. I will wait until it’s actually possible to create back up webauthn keys (rather than enlisting two keys with every service).

[opliko]

There is actually at least one fido2 device that supports backing up (mostly), based on this spec from Dicekeys https://github.com/dicekeys/seeding-webauthn

Solokeys (https://solokeys.com/ - v1, don't think the newer v2 does) have a special firmware version that implements this and allows you to use a custom seed - and as such restore a key from it. It only works on non-resident credentials (most commonly used, as the number of RKs is usually very limited) though. The firmware is here https://github.com/conorpp/solo-dicekeys/releases/tag/5.0.0 But it's also shipped in the keys dicekeys sells and I think only their app implements the client side of seeding anyway: https://www.crowdsupply.com/dicekeys/dicekeys