The FIDO protocol is unique in that it allows users to register as many credentials to the same account as permitted by a given relying party (RP) site. The only requirement is that, for a specific RP, the credentials must be generated on unique FIDO authenticators—which is not difficult, given that most users have a mobile device and a laptop or desktop computer.
Assuming users acquire a Security Key as a backup (or are given one) to get back into their account if they lose their mobile and/or cannot get to it or their computers, a portable Security Key can also be registered to such accounts.
In some companies, it is entirely feasible that employees may be issued a Security Key as the only portable means to authenticate to specific applications (the company desktop or laptop may also serve as an authenticator if the company’s security policy permits it).
Regardless, users will want the option to be able to add or delete credentials to their accounts at RP sites, as well as modify the “nicknames” (displayName) they give their credentials. Hence, it is recommended that sites build a FIDO Key Management section within their application. In such a situation, it is necessary to have SKFS return a list of all FIDO credentials registered by a user at a specific site.
While the FIDO protocols define operations to register and authenticate users, they don’t necessarily define what kinds of operations an RP company must implement to manage registered FIDO keys.
FIDO keys must be managed much like any other key management infrastructure involving operations, such as:
While some of these operations can be performed on the server side, others can be performed on the client (authenticator) side, too. SKFS supports all of the server-side operations—some that are managed by the RP’s FIDO administrators, and others that can be self-managed by users. Authenticator manufacturers are likely to provide tools to manage credentials on their devices.
To allow applications to enable end users to manage their registered FIDO credentials at RP sites, SKFS provides the getkeysinfo operation to retrieve registered credentials from SKFS so the application can provide appropriate user experience (UX) to support user-managed operations.