ashtuchkin
commented
8 years ago You should already have saved keyHandle and publicKey in your db for each added user. The presence of these fields is a flag that the user already added yubikey.
Closed jimmywarting closed 8 years ago
ashtuchkin
commented
8 years ago You should already have saved keyHandle and publicKey in your db for each added user. The presence of these fields is a flag that the user already added yubikey.
jimmywarting
commented
8 years ago Yea, but i'm making it possible to add more then one yubikey to all users. In case you would lose one or you want someone else to have access as well.
Every Time I register the same yubikey i get different publicKey and keyHandle back What i would like know from the yubikey is the identity (12 first characters from the OTP key)
zcei
commented
8 years ago There is no trivial way to do this, as the specs allow you to have multiple keys per domain (better: AppID). For example I have a personal & a work gmail account, both can still be secured with the Yubikey.
You need to implement business logic for that. When your user is logged in and tries to add a u2f to his account, while he actually has one in place, it should stop there and tell that to the user. So there is no registration attempt and thus no second publicKey / keyHandle
(Or replace with new key.)
jimmywarting
commented
8 years ago You need to implement business logic for that. When your user is logged in and tries to add a u2f to his account, while he actually has one in place, it should stop there and tell that to the user.
That is what I would like to achieve. But I don't want to limit a user to only having one Yubikey. And stop them from adding a new. The presence of having at least one publicKey / keyHandle dosen't work for me.
I don't know how google dose it. But they have made it possible to add multiple Yubikey (incase you would lose one) but they can still detect if that Yubikey was already added thus stop you from adding it again. I'm wondering how they made it.
zcei
commented
8 years ago From a quick glance on the specs, there seems to be a signRequests field for a registration attempt, where you can send known tokens with a challenge for it.
If I understood correctly, this should sign the request if you already have the key registered. Then you can discard the registrationResponse.
When using a different key it can't sign it, thus you should store the registrationResponse.
jimmywarting
commented
8 years ago signRequests field for a registration attempt, where you can send known tokens with a challenge for it.
Thank you zcei, that solved it
Wish i would get back a better error then {type: "OTHER_ERROR", code: 1}
But it works
How can i check if a yubikey has already been added to a user and avoid duplicates?