Please help me understand something related to WebAuthn authentication using two hardware OnlyKeys:
- I have configured Twitter to use my primary OnlyKey as hardware key for 2FA. I can use my primary OnlyKey without problems to log into Twitter (by entering username and password, then touching the unlocked OnlyKey).
- According to this Twitter blog entry, Twitter uses FIDO2 / WebAuthn for authentication with a hardware key.
- To my understanding (see here for a related query), FIDO2 / WebAuthn authentication is specific to the exact hardware key used. In other words, two hardware keys, even when one of them is a backup of the other, must be registered separately and are not usable interchangeably for authentication. There is also an interesting article by Yubico related to that.
- However, I noticed that I can also use my secondary / backup OnlyKey for successful authentication to Twitter. I have only registered a single OnlyKey with Twitter, the primary one.
How can this be explained? I would like to understand what exactly makes the two OnlyKeys interchangeable for FIDO2 / WebAuthn. (For instance, is there a secret key used for Webauthn which is identical for both of my two OnlyKeys, primary and backup?)
(I am not sure if this is relevant here at all, but I have set the HMAC slot 1 private key (not using the pre-set random one). It is identical in both OnlyKeys, as one is a backup of the other.)
Update: Same behavior on Github: I can use both OnlyKeys for authentication, although I only have registered one of them. AFAIK Github also uses FIDO2 / Webauthn.
Update 2: HMAC secret key does not seem relevant. I reset it and can still log into Twitter and Github.