I don't think cloneable is a good idea. If some 3rd party clones your token and uses it to commit a crime there is no way to prove that happened.
There are other solutions. Being able to make one key a proxy for another is one. That allows you to keep your master identity in a bank vault, and then use it to "sign" the one you keep on you during the day. Should you lose your daily driver, just sign another one. This still suffers from the "one true name" problem though - if someone steals that bank vault ID, you're gone.
Another approach is servers allowing a client to register multiple ID's, and later delete them. Since there are multiple ID's, there isn't one true name any more. If one is lost you cancel it, and replace it with another. The approach is already built into the FIDO2 protocol, so they've already thought about your concerns and solved them, and IMHO solved them in a better way than you propose.
A more robust approach still would be a combination of the idea above: FIDO2 multiple ID's solution, plus proxies. One key could then provide multiple ID's to every server you log into, signed by different masters that are stored in different places. Keys can't be copied, but a lost key can be replaced by signing it with the master. A compromised master can be have all it's ID's dropped by logging in with an ID proxying other master. You could think of it as RAID for 2FA's.
> Being able to make one key a proxy for another is one. That allows you to keep your master identity in a bank vault, and then use it to "sign" the one you keep on you during the day.
Yes, clonable tokens. Exactly.
When people ask for clonable tokens. This is an acceptable solution.
(But skip the bank vault. This is for avg Joe, not Jeff bezos. The closest safe will do)
There are other solutions. Being able to make one key a proxy for another is one. That allows you to keep your master identity in a bank vault, and then use it to "sign" the one you keep on you during the day. Should you lose your daily driver, just sign another one. This still suffers from the "one true name" problem though - if someone steals that bank vault ID, you're gone.
Another approach is servers allowing a client to register multiple ID's, and later delete them. Since there are multiple ID's, there isn't one true name any more. If one is lost you cancel it, and replace it with another. The approach is already built into the FIDO2 protocol, so they've already thought about your concerns and solved them, and IMHO solved them in a better way than you propose.
A more robust approach still would be a combination of the idea above: FIDO2 multiple ID's solution, plus proxies. One key could then provide multiple ID's to every server you log into, signed by different masters that are stored in different places. Keys can't be copied, but a lost key can be replaced by signing it with the master. A compromised master can be have all it's ID's dropped by logging in with an ID proxying other master. You could think of it as RAID for 2FA's.