Add ability to identify an already enrolled U2F device.

[gbdlin]

Summary

Add ability to identify an already enrolled U2F device.

Motivation

After the #24001 issue occurred, some users can find themselves in the state of having their U2F devices unidentifiable by their names. Such situation cannot be currently solved without removing all U2F devices at once and enrolling them again or removing all U2F devices but one and checking which device can be successfully used in the log in process. This also involves some risk, if user wants to remove the device he doesn't have access to anymore and by mistake he will leave only this inaccessible device enrolled and he will be logged out either because he wants to test which device is still enrolled or because his session has expired.

Additional Context

It should be accomplished either by providing a timestamp of when the device was last used or by adding a button above or below the list of enrolled U2F devices for the account. After pressing the button, user should be asked to use their device as in the process of logging in. After a valid device for user's account was used, it should be highlighted on the devices list or its name should be presented to the user.

[BYK]

Pinging @getsentry/enterprise for triage

[leedongwei]

@gbdlin Thanks for the report! I agree with the premise that a user should be able to easily identify their last-used U2F device. I'll work with product to figure something out here.

[leedongwei]

Fixed by #29276

Some clarity on this fix. We are able to stop the duplicated enrollment of the same U2F device. However, we would not be able to identify the key (i.e. if you have two devices enrolled, we would not be able to tell you which one it is) due to the way U2F API works.

The PR should be included in the next release (v21.11.0).

[gbdlin]

Some clarity on this fix. We are able to stop the duplicated enrollment of the same U2F device. However, we would not be able to identify the key (i.e. if you have two devices enrolled, we would not be able to tell you which one it is) due to the way U2F API works.

@leedongwei Please clarify. As the sign verification has to be performed for the correct U2F device, information about which device was used for the authentication must be passed to the server, together with the signed challenge. It may not be possible purely in JS on the frontend side, but it has to be possible in general. Other websites, like google, can report when a specific U2F device was recently used and such feature should allow to identify devices in case mentioned in my first message.

#29276 doesn't fix this issue. After this change, user still may end up in a situation when he no longer has control over one of U2F devices, but he can't identify which one was lost and either can't remove such device without guessing or when his guess was incorrect, he may lock himself from the account.