Hacker News new | past | comments | ask | show | jobs | submit login

When enrolling physical security keys to my accounts, only Google's process requested extra, identifiable fields in my key, generating a warning in Firefox, which can anonymize these fields.

Google wants to track even my physical security key across sites to track me.

How can I trust their AI systems with my data?




The attestation on (FIDO certified) security keys is a batch attestation, and meant to correspond to a a batch size of at least 100,000.

So they were effectively asking for the make and model.

There are non-certified authenticators which may have unfortunate behaviors here, such as having attestations containing a hardware serial number. Some browsers maintain a list and will simply block attestations from these authenticators. Some will prompt no matter what.

There is also a bit of an 'Open Web' philosophy at play here - websites often do not have a reason to make security decisions around the make and models of keys. Having an additional prompt in a user conversion path discourages asking for information they don't need, particularly information which could be used to give some users a worse experience and some vendors a strong 'first-mover' market advantage.

In fact, the motivator for asking for this attestation is often for self-service account management. If I have two entries for registered credentials, it is nice if I have some way to differentiate them, such as knowing one of them is a Yubico 5Ci while the other is an iPhone.

Many parties (including Google) seem to have moved to using an AAGUID lookup table to populate this screen in order to avoid the attestation prompt. It also winds up being more reliable, as software authenticators typically do not provide attestations today.


Both devices are Yubikey 5 series, and none of the other services asked for anything similar, or triggered any warnings.

Moreover, none of the service providers auto-named my keys with make/model, etc.

> If I have two entries for registered credentials, it is nice if I have some way to differentiate them, such as knowing one of them is a Yubico 5Ci while the other is an iPhone.

First, Google doesn't differentiate the security keys' name even if you allow for that data to be read, plus you can always rename your keys to anything you want, at any of the service providers I enrolled my keys, so it doesn't make sense.

Moreover, Firefox didn't warn me for any other services which I enrolled my keys, and none of them are small providers by any means.

So, it doesn't add up much.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: