U2F/FIDO Key Security: Multiple Accounts, One Key?

TL;DR

Using a single U2F/FIDO key with multiple accounts is convenient but increases risk. If the key is lost, stolen, or damaged, you lose access to *all* those accounts. It’s better to use separate keys for important accounts, especially if they don’t share the same recovery options.

Understanding the Risks

U2F (Universal 2nd Factor) and FIDO (Fast Identity Online) are strong authentication methods that offer good cyber security. They replace passwords with a physical key. However, relying on just one key for everything creates a single point of failure.

Step-by-Step Guide to Assessing & Mitigating Risk

1. Identify Your Accounts: List all accounts where you’re using the U2F/FIDO key. Categorise them by importance (e.g., critical – banking, email; important – social media; low risk – forums).
2. Understand Key Recovery Options: For each account, check what recovery methods are available if you lose your key. Common options include:
   • Backup Codes: These are one-time use codes generated when you set up the key. Store these securely!
   • SMS Verification: Less secure than backup codes but better than nothing.
   • Recovery Email: Also less secure, vulnerable to email compromise.
   • Account Recovery Questions: Often weak and easily guessed.
3. Assess the Risk Level: Consider these factors for each account:
   • Impact of Compromise: How bad would it be if someone gained access? (High, Medium, Low)
   • Recovery Option Strength: How reliable and secure are your recovery methods? (Strong, Moderate, Weak)
4. Implement Mitigation Strategies: Based on the risk assessment:
   • High Risk Accounts: Use a separate U2F/FIDO key for each critical account. This is the most secure option. Consider purchasing multiple keys from different manufacturers to avoid potential hardware vulnerabilities affecting all your keys.
   • Important Accounts: Use a dedicated key if possible, or at least ensure you have strong recovery options (backup codes stored offline).
   • Low Risk Accounts: Using a single key is generally acceptable, but still keep backup codes safe.
5. Registering Multiple Keys (Where Supported): Many services allow registering more than one U2F/FIDO key as a backup.

   The process varies by service, but usually involves going to the security settings and adding another key. For example, in Google:

   
   Go to your Google Account Security page -> 2-Step Verification -> Add Security Key.
   

6. Key Management: Securely store your keys. Don’t leave them unattended or connected to a computer for extended periods. Consider using a dedicated key holder or lanyard.
7. Regular Review: Periodically review your account security settings and recovery options (at least every 6 months).

Technical Considerations

U2F/FIDO keys store cryptographic credentials, not passwords. Each key generates a unique signature for each website it’s used with. Losing the key doesn’t reveal your password, but prevents you from logging in.

What if I lose my key?

1. Immediately revoke access: If possible, remotely sign out of all accounts using that key.
2. Use Recovery Options: Follow the account recovery process for each affected service. This is where having strong backup codes or a reliable recovery email becomes crucial.
3. Contact Support: If you have trouble recovering your accounts, contact the support team of each service.