Would it be possible to implement per-key FIDO2 authentication? It is possible to use FIDO2 hardware keys to use public-key cryptography, so would it not be possible to encrypt secrets with both a master password and enrolled FIDO2 authenticators?
As for why - I’m looking to get out of pass where each access to any of my passwords required an interaction with the GPG keys on my yubikey, and it would feel like a downgrade if I had to lose the per-secret painless authentication when moving to Bitwarden. I understand that I can always use my master password, but I was envisioning that via FIDO2, I wouldn’t need to enter unless I had lost my FIDO2 keys.
I’d say that such an encryption scheme would only support FIDO2 hardware keys that require extra authentication, i.e. keys that don’t require user interaction and have boundless authentication retries would not be supported. It would be impossible to revoke a FIDO2 key in the sense that access to secrets can’t be retroactively revoked, but a revoked key would at least not be able to decrypt new secrets - I believe this is less of a concern since it’s far more difficult to guess a PIN for a FIDO2 device than it is to crack a password, or at least, that is my assumption.
There are numerous benefits to using FIDO2 hardware keys to decrypt secrets:
- The master password doesn’t need to be entered all the time, which means there’s less of a chance the master password will leak
- All passwords can be authenticated at time of use without too much inconvenience
- Secrets can be accessed on less trusted systems safer
As an aside, I’m all the more disappointed to see FIDO2 keys be unsupported on Linux 