Unable to add multiple keys or TOTP

[Firesphere]

As a user

I would like to set up multiple different keys and/or TOTP apps

Because

I might have a work phone and home phone I want to set up together, or a personal key and a work key that I want to set up together

So that

I can log in from work and home, without having to worry about my work or home MFA method, e.g. if I forget my personal phone but do have my work phone, I do not loose the capability to log in

[ScopeyNZ]

Yep I agree this is a good feature. You can technically share the QR code with multiple devices when you register, but it's awkward because you need to all the devices at the time of registration, and adding a new one means you have to re-register the old ones.

I've put this as a change/minor but if somebody implements beware that the implementation will probably have to change how the secret is stored in the RegisteredMethod - but this should be done in a non-breaking way. This might be as simple as something like:

$storedData = $registeredMethod->data;
if (!is_array($data)) {
    $data = [$data];
}

[Firesphere]

I would put this as a impact/major. Because for example the FIDO alliance, agrees that "people can have multiple keys"

Restricting it to a single key (whichever it is, TOTP, Yubikey, etc.) is literally breaking the rule of being agnostic to the keys themselves.

[ScopeyNZ]

I agree about impact/major for having multiple u2f keys - but not for TOTP keys. I think there's a separate issue for u2f keys on the webauthn repo.