FIDO U2F on a site with changing hostnames/IP addresses

Question

I have a situation, where I want to implement FIDO U2F (using YubiKey) on an administrative interface to a load balancer, so that after login, in order to administer the system - U2F must be used as an extra layer of authentication.

Over the life span of the system - it’s common for the IP address and the hostname used to access it to change (e.g. once it’s https://192.168.0.20/, then it’s https://lb-admin.company.com/, then it’s something else, etc.).

The problem is that a key is being registered against an appId (the URL of the site) and then the appId is encoded in the keyHandle. Is there a way to allow multiple appIds or even remove the appId restriction when you register a key?

In other words - register one YubiKey and then use it from any entry point of the web site or even if the website is accessed using an IP address or a domain that is different from that, with which the key was initially registered?

Answer 1

Yes you can make a registered U2F key work with different hostnames buy using several subdomains... so it can be lb-admin.company.com and lb-login.company.com and whatever.company.com and so on. (Don't use IP)

In order to do so, your AppId reference should point to a online json file that will be processed as a TrustedFacetList.

Real world example... Here is the offcial GitHub AppID implementing this: https://github.com/u2f/trusted_facets

All details and rules are described here: FIDO AppID and Facet Specification (FacetID) https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009/fido-appid-and-facets-ps-20141009.html