Allow storing multiple passkeys on one vault item

As long as it is the official definition by the FIDO alliance etc. (non-discoverable = not a passkey), I tend to stick to it - until it may change…

Firstyear’s blog-a-log does concede that the definition has migrated to “a passkey is a resident [a.k.a. discoverable] key”:

Firstyear’s argument is not that the definition is wrong, but that it “could be expanded to be all possible authenticators”. One problem with this posture is that NIST defines authenticators to include passwords. More significant, though is that the argument seems largely mooted by Google Titan now supporting 250 resident passkeys, largely exceeding his capacity concerns.

No, I meant the public one, but I expressed myself very poorly.

I meant, that with a discoverable credential, the key pair associated with that credential is (generated and) stored in a slot in the authenticator (both public and private keys).

But with a non-discoverable one, the generated key pair is derived from the fido master key and not stored in the authenticator but in the relying party server (only the public part, as what’s called a credential id).

The authenticator does not keep track at all of any non-discoverable key pairs derived from it’s master key, that’s what I meant by saying that the public key is stored by the RP server.

In any case, the private key should always be kept inside the autenticator (be it the fido master key, or any created discoverable key pair).

2 Likes

Yes, wrong wasn’t the perfect term.
Token2 is also solving that with a high capacity of 250. I’m sad that Yubico is so late on this, because I wanted a Yubico but the capacity was too limited

But more or less 500 accounts, so it will still need expansion that wouldn’t be needed with non-resident ones.

But to be honest, I prefer the resident ones as they allow us to login without even providing a username :slightly_smiling_face:

Agreed, and I also prefer syncable (as Bitwarden implements) due to better scalability (add to one; appears on all), recovery (can backup/restore in mere minutes), and much-larger capacity limits.

1 Like