I've learned this the hard way as well - I have a handful of different security keys, with various levels of features (FIDO1 vs FIDO2, for example). I don't even use them on that many websites...
I hope I’ve learned my lesson now; maybe you have too. I’m keeping track of where I’ve registered my new security key. At least, this time, I’ve created and put some entries in a list inside my password manager!
I've learned this the hard way as well - I have a handful of different security keys, with various levels of features (FIDO1 vs FIDO2, for example). I don't even use them on that many websites (Google, Bitwarden, Fastmail and Github being the big ones, I think), but nonetheless I've started keeping a "secure note" in Bitwarden listing each site, which keys it has registered, and the date that I registered it.
Many services have neither let me add multiple keys, nor allowed me to remove my key once added. Essentially, the hardware I now want to decommission is the only way to log in to these services.
I'd consider this a serious bug in the site's FIDO / Webauthn implementation - every site should allow multiple keys. Bitwarden has a limit of 5 which seems pointless and arbitrary but is enough for my purposes.
if a site allows only one key I'm not going to use FIDO at all and stick with TOTP codes on my phone (or, consider a different service altogether, because enforcing that requirement indicates the devs of that service don't understand FIDO well enough for me to trust them)
Do the sites generally tell you that before you register the key? Only allowing one seems like an oversight, so I expect they would lack a banner informing you of that limitation.
if a site allows only one key I'm not going to use FIDO
Do the sites generally tell you that before you register the key? Only allowing one seems like an oversight, so I expect they would lack a banner informing you of that limitation.
yeah, they probably won't make it explicit - but I'm going to try to register multiple keys from the beginning. if registering my 2nd key doesn't work, I'll know right away their implementation is...
yeah, they probably won't make it explicit - but I'm going to try to register multiple keys from the beginning. if registering my 2nd key doesn't work, I'll know right away their implementation is broken.
in general, I recommend everyone who has these security keys gets at least two of them, so there's always one as a backup in case of loss or hardware failure.
and if possible, get two from different manufacturers (fairly easy for keys that are FIDO2-only, more difficult if you want advanced features like PIV or GPG that only the fancier keys like Yubikey support) to avoid the possibility of a firmware bug causing a correlated failure in both keys at the same time.
I've learned this the hard way as well - I have a handful of different security keys, with various levels of features (FIDO1 vs FIDO2, for example). I don't even use them on that many websites (Google, Bitwarden, Fastmail and Github being the big ones, I think), but nonetheless I've started keeping a "secure note" in Bitwarden listing each site, which keys it has registered, and the date that I registered it.
I'd consider this a serious bug in the site's FIDO / Webauthn implementation - every site should allow multiple keys. Bitwarden has a limit of 5 which seems pointless and arbitrary but is enough for my purposes.
if a site allows only one key I'm not going to use FIDO at all and stick with TOTP codes on my phone (or, consider a different service altogether, because enforcing that requirement indicates the devs of that service don't understand FIDO well enough for me to trust them)
Do the sites generally tell you that before you register the key? Only allowing one seems like an oversight, so I expect they would lack a banner informing you of that limitation.
yeah, they probably won't make it explicit - but I'm going to try to register multiple keys from the beginning. if registering my 2nd key doesn't work, I'll know right away their implementation is broken.
in general, I recommend everyone who has these security keys gets at least two of them, so there's always one as a backup in case of loss or hardware failure.
and if possible, get two from different manufacturers (fairly easy for keys that are FIDO2-only, more difficult if you want advanced features like PIV or GPG that only the fancier keys like Yubikey support) to avoid the possibility of a firmware bug causing a correlated failure in both keys at the same time.