I know that no secrets are shared, and that the key handle is generated from the public and private key per registration, so is unique even for multiple registrations under a single service. What I'm not sure about is whether this certificate also includes a unique physical key ID of sorts? In that case, the service could use that as a unique identifier and be able to link both accounts that use the same key. I know this certificate includes manufacturer, date of manufacture, what protocols the Yubikey supports, etc. To add more technical specifics to my question after some light research: the FIDO protocols looks like during the REGISTRATION ceremony, after getting the public and private keys sent to the user, the user sends back the key handle (created using both keys) as well as a certificate. Now, imagine I turn on 2FA and use the SAME physical Yubikey to set it up -> I'm not fully clear how the Fido Yubikey protocol works, but it looks like some character token is sent to the provider for authentication -> are these unique per set-up or the same for one Yubikey? Can the service provider associate accounts that way? I use Firefox containers so make sure login sessions for both of these accounts in the browser are always completely isolated. Both of these accounts use unique emails via SimpleLogin aliases, unique info, passwords, etc. I'm curious whether the token the Yubikey generates can be used to track me across services or across different accounts on the same service.įor example, imagine I have two accounts with some provider which I want to ensure aren't at all linked/associated with each other. I have one of the Yubikey 5C devices which I use as a physical 2FA on certain services that support it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |