If I use the same U2F key for two accounts on some service, could the service detect that and match the accounts?
Equivalently, if I used the same U2F key for two different services, could the services collude to match accounts between them?
Asked
Active
Viewed 368 times
1 Answers
6
Assuming your device supports the generation and use of multiple keys, identifying information is not shared across services by the use of U2F.
You will likely find the following comment from Yubico to be interesting:
Each user can also choose to have multiple identities, including anonymous (no personal information associated with the identity). A U2F device generates a new pair of keys for every service, the public key is only stored on the specific service it connects to. With this approach no secrets are shared among service providers, and even low-cost U2F devices can support any number of services.
Google's FAQ regarding U2F devices provides a similar answer:
Is my privacy protected when I use my Security Key with multiple websites?
Since a Security Key can work with multiple websites, the FIDO U2F protocol was designed from the ground-up to ensure user privacy. A Security Key device cannot be queried for a unique identifier that could be used to track a user across multiple sites. Instead, a Security Key registers a unique credential with each website that it’s used with. These credentials are designed such that the websites cannot "compare notes" and identify the same user across websites by their Security Key.
Austin Hartzheim
- 1,581
- 11
- 15