How to configure several U2F devices

[sammyjenkins]

Hello,

Is it possible (if yes, how to do so) to configure several u2f devices for 1 user in proxmox?

Thank you
Best regards

 

[dcsapak]

no currently not, only one device/tfa method per user
what would be the use case for registering multiple devices? (maybe we can implement it if it is useful)
you can always open an enhancement request here: https://bugzilla.proxmox.com

 

[sammyjenkins]

no currently not, only one device/tfa method per user
what would be the use case for registering multiple devices? (maybe we can implement it if it is useful)
you can always open an enhancement request here: https://bugzilla.proxmox.com

In case one device is lost I wouldn't lose access to the web-interface. I just can revoke access with the first device and use the second (backup) one.

 

[janssensm]

In case one device is lost I wouldn't lose access to the web-interface. I just can revoke access with the first device and use the second (backup) one.

The only use case from security view I can see for multiple tokens is when u2f tokens are mandatory, but at this moment I don't see an option to set that. So it's a users choice or an account specific preconfig by an admin.
If I understand right, the root account on a node can always delete a u2f token for another user account.
If you would like to have as much self support for VM users without intervention of an administrator of the root account (or another account with sufficient permissions) then multiple tokens would be handy, because a user without those permissions would have to ask for help when the u2f hardware key got lost or damaged.

When looking at other platforms allowing multiple u2f tokens, such as gitlab or gitea, users are presented recovery or scratch codes, whitch Proxmox doesn't have. So fallback on Proxmox seems to be to use the root account to correct the u2f token, and fallback is important.

 

[Chiaki]

The use-cases for multiple keys were always part of the official U2F specification and any serious implementation of U2F always allows multiple keys per account.

https://fidoalliance.org/specs/fido...2-ps-20170411.html#u2f-device-usage-scenarios

I was really astonished to see that Proxmox implemented U2F in this restrictive way.

 

[janssensm]

I was really astonished to see that Proxmox implemented U2F in this restrictive way.

You can also see this feature as a first step and perhaps more features can be implemented
If you feel it's important you can file a feature request at [1].

There also is an existing feature request for u2f/webauthn at [2] where you could add your wish.

[1] https://bugzilla.proxmox.com/
[2] https://bugzilla.proxmox.com/show_bug.cgi?id=2356

 

[Jackster]

Sorry to necro but I just ran across this issue with my deployment.
Not only do I have two U2F keys, but also a 2FA. Would be nice to have 2FA and U2F.

If I lose my phone, at least I have my master and general use U2F available to get me in.