Hacker News new | past | comments | ask | show | jobs | submit login

Once it's cloned can't the attacker create a new one for you that looks like the previous one you had?



In the FIDO2 case, only the derived keys are extracted. The master key that derives non-resident keys isn't extracted. So I think it's not possible to really copy the key.

In the cases of FIDO2 resident keys (passkey) / PIV / GPG, maybe it's possible to extract and copy the exact keys. But I guess it can be detected through attestations.

And I just looked at ykman command. It doesn't seem to allow you to import a passkey to a Yubikey.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: