Hi everybody,
Do Yubico (the seller) knows/keep the serial numbers of the YubiKey security keys they sale?
Are they able to link the YubiKeys to the user via serial number?
Are these serial numbers traceable?
Any insights appreciated.
Thank you
Check what payment methods your local authorized reseller accepts.
The one near me accepts 5 different cryptocurrencies, or you can turn up in person and pay in cash
Obviously consider the privacy issues for shipping or CCTV in person as well
1 Like
Unique identifiers cannot be detected by websites you use the YubiKey with, the FIDO2/U2F protocol is designed with this privacy in mind.
3 Likes
Just get an open source hardware wallet that also support U2F and FIDO2.
This also comes with the benefit that you can properly backup it.
2 Likes
These YubiKeys should be sold at brick-and-mortar Stores.
Identity correlation is possible if you use the same YubiKey for U2F authentication with different accounts.
The YubiKey has a single counter for all U2F sites (explicitly allowed by the standard), so the initial counter for a new registration might be 0, or it might be greater than zero.
Example of single-service identity correlation:
- Authenticate with some BigTechCorp as Alice, counter is 42.
- Authenticate with some BigTechCorp as Bob, counter is 43.
- Authenticate with some BigTechCorp as Alice, counter is 44.
- The BigTechCorp might assume that Alice and Bob is the same person.
Example of cross-service identity correlation:
- Authenticate with some BigTechCorp as Alice, counter is 52.
- Authenticate with some AnotherBigTechCorp as Bob, counter is 53.
- Authenticate with some BigTechCorp as Alice, counter is 54.
- If both big tech corps collaborate and share data with each other, they might assume that Alice and Bob are the same person.
1 Like