I’ve been thinking of finally getting myself a couple hardware security keys (particularly from the YubiKey 5 series) so that I can have more convenient and secure MFA options. I skimmed through the Multi-Factor Authentication article from the knowledge base, but I was left wondering if hardware security keys pose any threats to anonymity.
Off the top of my head, here are a few things I’d question as someone who isn’t familiar with exactly how hardware security keys (or many of the protocols they utilize) work.
Do hardware keys contain identifiers which are immutable or unique to each device, such as hardware identifiers? If so, when are they revealed?
Can any of their supported protocols (such as FIDO2/WebAuthn) link different identities together? If not, would that also apply when using different accounts for the same service?
Would users be able to securely wipe any credentials or cryptographic keys stored on the hardware key? If so, can the hardware key safely be used for new credentials/keys without any association with (or memory of) the previous credentials/keys being found on the hardware key?
FIDO2 was designed with a privacy-first mindset, the entire specification is designed around preventing these threats.
Your computer can identify them based on serial number or other identifiers typically, but those identifiers are never[1] shared with the websites when you use your key.
They can’t be used to link identities together.
Discoverable credentials (Passkeys, which store your username) can be wiped with management software. Typically the tools to do so are baked in to your browser. Non-discoverable credentials (typically used for 2FA) aren’t really “stored” on the key in the first place so there’s nothing to wipe, but they also can’t be associated with each other.
Some poorly designed no-brand security keys have been known to share hardware identifiers in the past erroneously. You should use a security key developed by a competent company like YubiKey. ↩︎
I wonder what the odds are that privacy-invasive operating systems (like Windows or some versions of Android) collect and share that information.
Would you be able to elaborate on what you’re referring to here? At first I thought you might’ve been referring to TOTP/HOTP but I believe that the YubiKey 5 series stores those forms of 2FA as well.
Oh, I am only referring to FIDO authentication standards. Security keys which do additional things beyond that (like the YubiKey 5) will store other information, but all of that functionality is non-standard so you’d have to refer to the manufacturer’s documentation.
In the case of the YubiKey 5 you should be able to securely reset all the features it provides via their various management tools, yes.
