Can a provider allowing 2FA with a Yubikey identify me if I use the same key for different accounts?

All we need is an easy explanation of the problem, so here it is.

I was wondering if someone providing a service can identify me (other than by IP, browser fingerprinting etc.) purely based on the code generated by the Yubikey when I touch it, if I use the same Yubikey on two different accounts.

I.e. will the provider know implicitly that the same Yubikey was used?

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

With Yubikey’s alphanumeric one-time passwords, yes:

Each Yubikey had a unique public identifier. The authentication server must know this ID in order to select the correct AES key for the OTP. The proprietary Yubico OTP protocol should no longer be used.

With FIDO U2F, no:

The Yubikey creates a unique keypair for each combination of device+user+service. This is described in the Registration section. The FIDO protocol is newer and focuses on both secure authentication and user privacy.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply