I’m not sure I understand the question. Are you asking if 2 sites can link the same user/hardware device? The answer is mostly no.

FIDO essentially replaces a password (shared secret between client and server) with public key cryptography. The key pair used depends on the site, so 2 distinct sites will see 2 different public keys even if you use the same hardware device. So the 2 sites won’t know, from the public key, that they’re talking to the same user.

Clearly if you use the same username/email, 2 sites can link you. That’s the same with passwords and FIDO.

Thanks for the background! That's helpful, I guess my question is more centered around the potential pitfalls of linking a physical device to a login, because that device contains a plethora of personal data it would seem we are required to expose much more information to sign up for a service, much like logging in with facebook shares additional data with the service in a non transparent manner?

On your FIDO key there's no data stored, not even the keys to connect to fb. When fb makes a request the (private) key is derived from the master secret (the only thing stored) and the signature is made.

Ah interesting! Thats cool :) Aside from the FIDO transaction itself (which from your description sounds not to shabby) would you say then that passwords and FIDO are equivalent in terms of exposure of personal information? I guess I figured the location aspect seemed like a differentiating factor.

FIDO is strictly better: with “password” you share your email + password with the server. If you use the same password on another site, the server knows your password. You may trust the server, but in case of a leak you’re doomed.

With FIDO you share email + a signature that doesn’t reveal anything at all.

Privacy aside, the FIDO signature also protects you against phishing as the (hostname of the) url that’s displayed in the browser is part of what it’s signed, so an attacker can’t reuse the signature to log you on a different domain — unlike the password (and other 2FA like otp codes) that can be phished.

- vendor lock in

- vendors unnecessarily requiring you to provide proof of id

- inability to easily replicate tokens

- site enforced vendor requirements

That's a great summary, thank you.

I'm certain that once governments (and people like Elon) realise that they can do age and ID verification for accessing sites, they will start demanding it.

These devices (with their DRM-like remote attestation and revocation capabilities) are just going to further prepare people to accept the idea that their "security" relies on running unauditable software/hardware to do anything online.

Eventually, ISPs will be mandated to check that you're not running a system with an unlocked bootloader, and then governments only need to instruct the major OS vendors to detect VPNs and Tor and E2EE messengers as being "malware".

Yes this seems particularly scary to me, vendor lock in seems to be more and more ubiquitous. I understand passwords have their pitfalls like phishing and reuse but FIDO's bluetooth / close device detection seems very invasive and potentially flawed.

For some situations, it helps to have multiple accounts on the same website while making their IP address and user-agent metadata different using Tor or similar.

I think that won't be easy anymore. Most people have just one phone. If the same phone is used for all accounts, it's easy to associate them to the same person. Technically, it may be possible to anonymize if the authenticator goes to great lengths to implement it. But we're talking about companies like Google here and I don't see them doing that.

(Happy to be corrected if I have misunderstood FIDO.)