How does "Security Key by Yubico" identify each key?

1.1k views Asked by At

According to the sentense below in this page, "Security Key by Yubico" does NOT have a serial number.

Serial numbers are unique across all models of YubiKeys, with the exception of Security Keys, which do not have serial numbers.

However, in Yubico Demonstration Site, the same "Yubico" can register security key in only 1 key.
So, I consider that "Yubico" has some mechanism to identify each "Yubiko" without using serial number.
Then, how does the authenticator in webserver identify each key without a serial number?

1

There are 1 answers

1
Luke Walker On BEST ANSWER

The answer is found within the U2F protocol (public-key credentials & attestation metadata):

Public-Key Credentials

  1. During the registration ceremony, the security key generates a public-key cryptography key-pair. The private key never leaves the security key and the public key is returned to the website at the end of the ceremony. The website stores this credential for later authentication.
  2. During the authentication ceremony the website sends the list of the user's registered public-key credentials that are allowed. The security key will generate a U2F assertion which is returned the website. The website will then validate the assertion has been signed by the private key and check that all the data is what was expected.

Check out an overview of the U2F protocol to learn more.

Attestation & Metadata

Each Yubico device has an attestation certificate that has been signed by Yubico's root CA. A website can validate that a YubiKey is genuine by checking it against the root CA. That attestation certificate has metadata that can identify the model of the authenticator. This attestation certificate follows the U2F privacy requirements and does not have any metadata that can be used to individually identify a particular security key.

Learn more about Yubico U2F attestation and metadata.