Ask HN: What are the privacy implications of FIDO adoption?
Lately there has been a lot of buzz regarding the adoption of FIDO authentication and the removal of passwords from our lives. I am curious what privacy implications there may be for a FIDO centric future?
9 comments
[ 5.5 ms ] story [ 23.5 ms ] thread- vendors unnecessarily requiring you to provide proof of id
- inability to easily replicate tokens
- site enforced vendor requirements
I'm certain that once governments (and people like Elon) realise that they can do age and ID verification for accessing sites, they will start demanding it.
These devices (with their DRM-like remote attestation and revocation capabilities) are just going to further prepare people to accept the idea that their "security" relies on running unauditable software/hardware to do anything online.
Eventually, ISPs will be mandated to check that you're not running a system with an unlocked bootloader, and then governments only need to instruct the major OS vendors to detect VPNs and Tor and E2EE messengers as being "malware".
FIDO essentially replaces a password (shared secret between client and server) with public key cryptography. The key pair used depends on the site, so 2 distinct sites will see 2 different public keys even if you use the same hardware device. So the 2 sites won’t know, from the public key, that they’re talking to the same user.
Clearly if you use the same username/email, 2 sites can link you. That’s the same with passwords and FIDO.
With FIDO you share email + a signature that doesn’t reveal anything at all.
Privacy aside, the FIDO signature also protects you against phishing as the (hostname of the) url that’s displayed in the browser is part of what it’s signed, so an attacker can’t reuse the signature to log you on a different domain — unlike the password (and other 2FA like otp codes) that can be phished.
I think that won't be easy anymore. Most people have just one phone. If the same phone is used for all accounts, it's easy to associate them to the same person. Technically, it may be possible to anonymize if the authenticator goes to great lengths to implement it. But we're talking about companies like Google here and I don't see them doing that.
(Happy to be corrected if I have misunderstood FIDO.)