Today's fun fact: On cheaper devices (anything cheaper than say Yubico's Security Key 2 product, and even often for common uses with products in that range too) there actually isn't ever "more than one key on the physical key". They have a single key baked inside them (typically an AES symmetric key) You can use them to authenticate as you on an unlimited number of sites because they're not actually remembering the private keys used to authenticate so they don't need to store them anywhere!
Let's watch how that trick is done, starting with a much more expensive device that has plenty of storage, an iPhone.
When you enrol the iPhone as an authenticator, the standard requires it to provide a very large ID number for that enrolment, and it warns implementers these aren't serial numbers if they're picking an ID use random numbers. The iPhone signs a message with a proof of freshness (random numbers the Relying Party picked), a proof of who the message is for (a hash of the Relying Party's DNS name) an elliptic curve public key it just picked at random, all signed with the corresponding private key. This is sent to the Relying Party (ie a web site) along with the ID number and enrolment has succeeded. The iPhone just stores all that in Flash because hey, it has gigabytes of flash storage so who cares. When you need to authenticate to some web site, the site gives back the ID number, the iPhone finds the right entry in Flash, retrieves the private key and produces a new signed message to authenticate.
However, the ID is so big for a good reason -- a whole elliptic curve private key can fit with space for an AEAD tag to spare. So instead of gigabytes of flash storage a $15 FIDO authenticator just uses AES to encrypt the random private key for this site (using the symmetric key baked inside it), and provides that encrypted message as the ID number for the enrolment. Then it can forget the private key! When a site wants you to authenticate later, the site gives back the ID number (always a big random-looking number anyway remember) and your authenticator decrypts the ID number to get back the private key for that site, signs the authentication message and immediately forgets the private key again.
It's genius. If you came up with this idea independently of reading about FIDO/ WebAuthn congratulations you might have a future in cryptographic engineering.
Let's watch how that trick is done, starting with a much more expensive device that has plenty of storage, an iPhone.
When you enrol the iPhone as an authenticator, the standard requires it to provide a very large ID number for that enrolment, and it warns implementers these aren't serial numbers if they're picking an ID use random numbers. The iPhone signs a message with a proof of freshness (random numbers the Relying Party picked), a proof of who the message is for (a hash of the Relying Party's DNS name) an elliptic curve public key it just picked at random, all signed with the corresponding private key. This is sent to the Relying Party (ie a web site) along with the ID number and enrolment has succeeded. The iPhone just stores all that in Flash because hey, it has gigabytes of flash storage so who cares. When you need to authenticate to some web site, the site gives back the ID number, the iPhone finds the right entry in Flash, retrieves the private key and produces a new signed message to authenticate.
However, the ID is so big for a good reason -- a whole elliptic curve private key can fit with space for an AEAD tag to spare. So instead of gigabytes of flash storage a $15 FIDO authenticator just uses AES to encrypt the random private key for this site (using the symmetric key baked inside it), and provides that encrypted message as the ID number for the enrolment. Then it can forget the private key! When a site wants you to authenticate later, the site gives back the ID number (always a big random-looking number anyway remember) and your authenticator decrypts the ID number to get back the private key for that site, signs the authentication message and immediately forgets the private key again.
It's genius. If you came up with this idea independently of reading about FIDO/ WebAuthn congratulations you might have a future in cryptographic engineering.