I already read from another post here on this forum that if you backup OnlyKey and restore it on another one, that also copies FIDO private key (credentials).
So the question is, can I create perfect copies of 2 OnlyKey’s, that means that websites with FIDO would allow me to login with either of those OnlyKey’s as they would see the same FIDO credentials?
I would also like to know if this is an ok/secure way of doing things?
If this is allowed, OnlyKey would be the only one that has that feature. I am asking as I want to have one of the keys or only the backup file in a vault, and access it only if the primary one fails. This way I wouldn’t have to add each individual OnlyKey/Nitrokey/YubiKey for websites that use FIDO authentication.
Yes. I have multiple cloned OnlyKeys and everything works as expected. I login with FIDO2 on many sites across keys. They are like-for-like copies.
On your point about security, you may want to elaborate on the concerns. I guess strictly speaking, increasing the number of copies increases the chances of someone getting your key, but they need the PIN and the device has brute force prevention mechanisms. Still seems much more secure than many alternatives like storing GPG or SSH key on online devices.
Thanks for the response.
I wonder if having multiple unique FIDO2 keys with different passwords is as bad as having cloned FIDO2 keys with the same password. With password, I mean the device PIN. If an attacker got access over one key with password, he would have the same access in both scenarios, and you would still be able to change websites to new FIDO2 credentials, if the attacker doesn’t happen to do that faster (which he could in both cases).
Questions like this are always difficult to answer and often end up with… It depends. Because it does depend on lots of variables and circumstances.
But in this case, don’t use passwordless authentication. That seems like the solution. Then you can keep your two, or multiple factors segregated. And why have FIDO2 keys as backup to FIDO2 keys on a service? Again, always better to have diverse factors so maybe OTP is a better recovery login option, or even a paper-based recovery code which lots of services offer.