This requires the attacker to steal your key. When that happens, by the time they can get the secret key I've already revoked it.
The biggest problem with FIDO keys isn't the fact that people can gain access to your accounts if it's physically stolen.
I have redundant keys for backup access. But I have no idea which accounts I used the lost key for, in order to log into them one by one to revoke the key.
How does everyone here keep track? A post-it note in the cookie jar?
>This requires the attacker to steal your key. When that happens, by the time they can get the secret key I've already revoked it.
You're held in custody, detained, arrested, etc while your keys are dumped and accounts are accessed. You don't have the opportunity to revoke it without risking prison time.
This situation can happen if you simply choose to fly or visit another country.
That’s a different situation outside of most people’s reasonable threat model. The police don’t need to clone your Yubikey if they can use it as much as they want, and if they decide to go NYPD on you nothing else you do is going to end in a different outcome unless your MFA check is an in-person confirmation in a location outside of their control.
Though in this scenario, your adversary doesn't need to resort to a technical attack to clone your key. They can compel you to comply, and keep you locked up until you do.
They can, but assuming the law is actually being followed, you can only be held for so long without charges, and can be compelled to provide so much testimony.
Being able to quickly clone keys gives any LEO an opportunity to access your digital life as part of a simple stop versus a full criminal case.
In the UK, s 49 of the Regulatory and Investigatory Powers Act 2000 provides for 2-5 years' imprisonment if you were to fail to do so, depending on the nature of the offence under investigation.
In Australia, s 3LA of the Crimes Act 1914 (Cth) imposes a similar obligation with a penalty of 5 or 10 years' imprisonment.
If you find yourself in this position in Russia or China, they would just make you disappear for as long as they saw fit.
That's not the only possible attack here: FIDO direct attestation requires a key to be shared among either none or at least 100 000 devices (for privacy reasons):
> If the authenticator puts the exact identical attestation key into a group of Authenticators (e.g., group of devices, phones, security keys...) so that the attestation key doesn't become a Correlation Handle, then each group of Authenticators MUST be at least 100,000 in number. If less than 100,000 Authenticators are made, then they MUST all have the same attestation key.
Yubico, to my knowledge, has chosen the latter route; this means that compromising a single Yubikey's attestation key compromises at least 100k others immediately
The article notes "The attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract the ECDSA secret key." (emphasis added)
The biggest problem with FIDO keys isn't the fact that people can gain access to your accounts if it's physically stolen.
I have redundant keys for backup access. But I have no idea which accounts I used the lost key for, in order to log into them one by one to revoke the key.
How does everyone here keep track? A post-it note in the cookie jar?