Currently up to 5 FIDO U2F keys may be added. It would be awesome to allow some more. I don’t want to go into details but I myself have 8 keys and when rotating them (replacing with new) it may temporarily be up to 10 keys. It would be great if you could add support for some more keys.
Bump for reply?
Edited the topic to reflect the ‘count’ instead of seeming like we needed to support more ‘types’ of keys
Is it possible to increase Yubikey U2F and/or OTP slots beyond 5?
Anecdotally, I think other Yubikey-protected services (Google, Facebook, GitHub) do not have a slot limit. (They also seem to bundle U2F and OTP together, but that’s a discussion for another day).
I’ve seen Increase YubiKey slots from 3 to 5 · Issue #135 · bitwarden/server · GitHub but it leads to a dead forum link. What was the rationale for limiting to 5 slots?
Would it be possible to allow a user to register more than 5 FIDO2 keys for the account?
FIDO2 Authenticator can be cross platform (eg Yubikey) and platform (eg TPM, ecc) with multiple devices and a few security keys you can easily max out the available slots.
As a user with 2 YubiKeys, 5 standalone WebAuthn-supporting keys, and 3 WebAuthn-supporting devices, I require more than 5 WebAuthn key slots.
10 slots sounds fair.
Still very much needed. I agree with the others, 10 sounds like a good number. If a limit at all, I don’t see the need for one. Storage doesn’t seem to be a problem if users can add unlimited vault items.
I personally have a couple of WebAuthn keys at my residence. Then, I have more scattered across different family members’ residences.
A limit increase becomes even more necessary for those without NFC on their phones. My immediate family all have Motorola phones released after 2020 that don’t support NFC. So, my family has to have a couple USB C WebAuthn keys, and a couple USB A WebAuthn keys. You can see how the requirement for more than five keys is quickly surpassed in scenarios like these.
Adding my support for this. The 5 key limitation is limiting and seems like it wouldn’t take all that much to expand it.
Allowing the user to register 10 FIDO2 credentials (passkeys or device-bound credentials) seems to be the standard.