Good question!
A core property of FIDO2 is authenticating the *origin* (are you connected to the right site, or a copycat). The daily benefit of this protection is intended to be worth the trade-off of requiring diligence in retaining possession of the key.
Also, the idea is that loss of the key would be noticed quickly enough that the key could be revoked.
Finally, putting a PIN on a "leave-in" / installed key (which is a PIN for the *key*, not for individual sites), is a reasonable way to mitigate the risk of the window of time between the loss/theft of key and when it can be revoked.
#YubiKey
Royce Williams
npub1d9…v7m3z
2025-10-04 14:21:03 GMT
in reply to nevent1q…2lq2
Author Public Key
npub1d9j86kugzarj4skw6juglk2de6mful9svqu8yac6vum5wz5xtcwsyv7m3zSeen on
wss://relay.momostr.pinkPublished at
2025-10-04 14:21:03 GMTEvent JSON
{
"id": "084cd14bb141a667712004aa30782f84e03700ce1fdb63fa4e425bf7f440fd08",
"pubkey": "69647d5b8817472ac2ced4b88fd94dceb69e7cb0603872771a6737470a865e1d",
"created_at": 1759587663,
"kind": 1,
"tags": [
[
"e",
"1d003532e8ab24e3669bc96207ed452c3df71cff69723e4b1249fdf42ec620fe",
"",
"root",
"62b4002513dcb7efac1dec876f9c066d7aea38e9f6651978f7c013a7dfac23f6"
],
[
"proxy",
"https://infosec.exchange/@tychotithonus/115316337100987465",
"web"
],
[
"p",
"62b4002513dcb7efac1dec876f9c066d7aea38e9f6651978f7c013a7dfac23f6"
],
[
"t",
"yubikey"
],
[
"proxy",
"https://infosec.exchange/users/tychotithonus/statuses/115316337100987465",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/tychotithonus/statuses/115316337100987465",
"pink.momostr"
],
[
"-"
]
],
"content": "Good question!\n\nA core property of FIDO2 is authenticating the *origin* (are you connected to the right site, or a copycat). The daily benefit of this protection is intended to be worth the trade-off of requiring diligence in retaining possession of the key.\n\nAlso, the idea is that loss of the key would be noticed quickly enough that the key could be revoked.\n\nFinally, putting a PIN on a \"leave-in\" / installed key (which is a PIN for the *key*, not for individual sites), is a reasonable way to mitigate the risk of the window of time between the loss/theft of key and when it can be revoked.\n\n#YubiKey",
"sig": "faa108490cf818d5d19d7d270143e5f78bb69a74c5ac3f3ecfa734e93b4603d9ce37ca67c0a21c844388071e2aad6dedf3baa13955884f54a48464f9914df06d"
}