How do you request all registered keys and only sign one of them? Well, you need two node packages. u2f for server-side and u2f-api for server-side.

When a user wants to register one of their keys onto your website; your backend must make a request to the browser.

Server-slide script

const u2f = require('u2f'); const APP_ID = "https://..."; // your website URL, must be https /** * Server requesting. You can use Express.js to send the request */ const request = () => u2f.request(APP_ID); /** * @param {{ * version: String, * appId: String, * challenge: String * }} request The request object from the previous function * @param response Response from U2F key */ const verifyRegistration = (request, response) => { const result = u2f.checkRegistration(request, response); if (result.successful) { /** * store the result.publicKey and result.keyHandle * to your user database associated with this user * because we are going to need it later when the user is * logging into your website with the same security key. * I recommend you encrypt the public key and key handle */ } else { // failed }; }; /** * When the user wants to login with the security key * @param {String} userID The user's ID */ const sign = (userID) => { /** * get the user object from your database using the userID * and map all of the user keys into an array */ return userSecurityKeys.map((key) => u2f.request(APP_ID, key.keyHandle)); } const verifyAuthentication = (userID, request, response) => { /** * Quite similar to checkRegistration */ userSecurityKeys.some((key, i, { length }) => { const res = u2f.checkSignature(request, response, key.publicKey); if (res.successful) { // return true to stop the .some from looping to other keys return true } else { if (length - 1 === i) reject({ error: true, status: 400, message: res.errorMessage || 'Not a registered security key' }); }; }) };

Client-side script