Hello,
Can someone direct me to the documentation of how Onlykey authenticates (U2F) with an website?
Is it a 'Keyhandle" approach (as in Yubikey) where device specific secret is used to deterministically generate an unlimited amount of private keys (ECC, RSA)?
If so, is the “master key/device specific secret” generated using the CSRNG built in the OK?
When is this secret generated (at device creation?) and what are its properties?
Is there a way to create your own master key/secret as you can with stored SSH/GPG keys or resident FIDO2 keys?
Thanks (and apologies if this question has previously been asked)
FIDO2 (Used to be called U2F) is a standard that supports MFA and passwordless authentication. OnlyKey works like other FIDO security keys here is more info:
Is there a way to create your own master key/secret as you can with stored SSH/GPG keys or resident FIDO2 keys?
Yes, this is called resident keys. Its a feature of FIDO2 and used for passwordless authentication, not used for encryption/signing like GPG keys are.
I guess what I was trying to ask is what are the details of how the Onlykey is seeded with the master secret that is used to derive the unlimited amount of non-resident and 25 resident/discoverable credentials.
Also regarding resident keys, if I fill up all 25 ECC with slots with keys that I generate myself then will the Onlykey get rejected when trying to register it with a website that uses WebAuthn FIDO2 protocol as traditional U2F 2FA ?
After registering the OnlyKey to a website is there a way to export that resident key (including the private key) that’s been created by the OnlyKey?
Key derivation and the 25 ECC slots are not used for FIDO2. There are 12 FIDO2 resident key slots, this is separate from the 25 ECC slots that are used for SSH/GPG.