My question is about identity-theft vulnerabilities of data on hardware security keys [also called: "hardware security token", "hardware token", "hardware authentication device"] with built-in biometric sensor.
Is the biometric data on hardware security keys with biometrics typically not passed to the laptop on which it is used? In other words, is it impossible for a hacker to steal your biometric data by means of remotely hacking into the laptop and taking full control of it? Even when the hardware security key is in the laptop? (For all clarity: the hacker does not physically dispose over the hardware security key, he tries to access its data remotely through the user's laptop.)
Examples of such keys include:
- https://www.ftsafe.com/Products/FIDO/Bio
- https://www.kensington.com/p/products/data-protection/biometric/verimark-guard-usb-c-fingerprint-key-fido2-webauthnctap2-fido-u2f-cross-platform/
I imagine that some kind of zero-knowledge (challenge-response) protocol can be used to achieve this. This way the biometric data does not have to leave the hardware key, while it can be used to authenticate. Do all prevalent hardware security keys with biometrics do this, or are there known exceptions?
Thank you so much!
