How do I remove individual FIDO2 keys from apex flex?

I installed the “FIDO Security” app and it seems to work just fine, however I can’t find any way to remove keys. When I tap “U2F” in apex manager it just tells me it doesn’t need any configuration, but presumably it’s going to run out of space at some point and I’ve got a few keys I created just for testing that I’d like to delete.

I tried the Yubico Authenticator app just for kicks and was surprised to see OTP codes show up, but nothing about U2F/FIDO

2 Likes

Guessing you could always do the “nuke it from orbit” approach, and destroy/reinstall the FIDO2 applet.

1 Like

Yes, but assuming there are some keys I do want and some keys I don’t.

1 Like

Does it create individual keys like that? I thought most security keys were sort of one-per-device and you just enroll that to the services

In other words, can you just un-enroll it from the service?

There’s a pretty decent chance I’m completely wrong there though

1 Like

I don’t fully understand it either, but I’m pretty sure U2F is the old standard and works as you describe (and apex flex supports it), while FIDO2 (aka passkeys?) is the newer standard and does require storing information per-service.

See for example yubikey’s docs on how to do this for their devices: Passkeys: FIDO2 — Yubico Authenticator User Guide documentation

2 Likes

I would also like to know this. I know I have a few wasting space.

2 Likes

Fido is basically U2F which is universal two-factor.

Fido2 is designed for passwordless operation. This means it’s the primary factor, not a secondary factor. The difference comes down to, for lack of a more nuanced explanation, supporting user authentication of some sort on the security token. Typically this means setting and using a PIN code for the token. In this way, nobody can simply find your security key and log into your stuff without knowing at least some factor. You could call it a simplified password if you want but basically it’s the primary difference between U2F and Fido2.

The industry is, of course, muddling things as they often do.

Passkeys are based on Fido2, however they are based on a very specific type of Fido2 - resident keys. There are two ways you can authenticate with a fido2 security token. The first is similar to u2f where the relying party (website, service, etc.) basically challenges your token and stores the public key of your token in its database. The next time you show up, it issues challenges based on that public key and if your key response correctly then hooray. It’s a little more involved than that to tie in url data and spoof protection and phishing attack protection, but that’s basically how it works.

Resident keys work a little differently. As you might surmise, the relying party creates a unique key that resides on your security token which is used to authenticate in a similar fashion.

Passkeys are basically a marketing term that is struggling to come to grips with also trying to become a technical specification. Basically, we have been going through a series of big bumps the last 24 months or … some websites say hey you can register a fido2 security key and when you do that it’s putting a resident key on your security token, while Apple and Google started pushing the idea of passkeys which are really no different but they created this term basically to push the idea that your device is the key… and by device they mean your phones and computers. They wanted a way to differentiate what they are leveraging the fido2 standard for vs traditional security keys.

My personal thought is that this is a terrible idea. If you are securing your access to cloud services and effectively securing your personal identity across the entire cloud using a device that is easily hacked, stolen, lost, forgotten, whatever… that’s like putting all your eggs in one basket. Of course the idea is that you would be able to do passkey revocation if you lose one of your devices but managing all of that is a it show nightmare once you get beyond just a few services.

Keeping your passkeys or resident keys or whatever you want to call them with you at all times in your body seems like a much easier management issue. Particularly if you have two Apex so you have a backup just in case. Management however is still the name of the game.

Basically, you could use any standard fido2 resident key management software package to manage the resident keys on your Apex… the problem is it’s just not a software suite out there. I think Yubico something, but I’m pretty sure it only works with their security tokens.

We do have plans for integrating better management for other applications on Apex into the Apex manager smartphone app. This includes Fido key management, but there is no ETA for these features.

Anybody with development skills who might want to contribute, let me know :slight_smile:

5 Likes

I was able to find a demo which would require a resident key https://yubionfidodemo.azurewebsites.net/Home/Usernameless and android didn’t even give the option for nfc which is a little dissapointing

so I think I can conclude there aren’t any resident keys on my apex, since everything I’ve added has been through android.

2 Likes

Hmm no that’s a Google bug… this has been hashed and debugged numerous times over the last few years. Likely your Google Fido stack is shitty

1 Like

Or also I think the site itself can actually specify which types of security tokens it wants to accept… it might be omitting NFC specifically

1 Like

Yeah on my phone it just doesn’t even work…

When I tap more options it just errors

1 Like