TL;DR
Yes, a provider using Yubikey for two-factor authentication (2FA) can potentially identify you even if you reuse the same key across multiple accounts. They don’t see *all* your accounts, but they can link activity to that specific Yubikey serial number.
Understanding How Yubikey 2FA Works
When you set up 2FA with a Yubikey, the provider doesn’t store your secret key directly. Instead, they record a unique identifier – the Yubikey’s serial number. When you log in:
You insert your Yubikey into your device (or tap it if NFC enabled).
The Yubikey generates a one-time password (OTP) based on its secret key and a counter.
Your device sends the OTP *and* the Yubikey’s serial number to the provider.
The provider verifies the OTP against what they expect for that specific serial number.
The serial number is crucial; it’s how the provider knows which key you are using.
Why Reusing a Yubikey Can Be Problematic
Account Linking: If multiple providers use Yubikey 2FA, they can potentially link your accounts together based on that serial number. This isn’t necessarily malicious, but it compromises privacy.
Breach Impact: A data breach at one provider could expose the association between your Yubikey’s serial number and your account there. This information could then be used to target you elsewhere.
Correlation Attacks: While rare, sophisticated attackers might try to correlate activity across providers to identify you.
Steps to Mitigate the Risk
Use Separate Yubikeys: The most effective solution is to use a dedicated Yubikey for high-security accounts and another for less critical ones.
Consider Different Slots (Yubikey 5 Series): Some Yubikey models (like the Yubikey 5 series) have multiple slots. You can configure different OTPs on each slot, effectively creating multiple keys within a single device. This is better than reusing the same key across providers but still relies on one physical device.
Check Provider Policies: Review the privacy policies of services you use to understand how they handle Yubikey serial numbers. Look for statements about data sharing or account linking.
Monitor Account Activity: Regularly check your accounts for unusual activity that might indicate someone is trying to access them.
How to Find Your Yubikey Serial Number
You can find your Yubikey’s serial number using the Yubico Authenticator app or through a web browser:
Yubico Authenticator App: Open the Yubico Authenticator app and select your Yubikey. The serial number will be displayed in the device details.
Web Browser Test: Visit https://manager.yubico.com/ and insert your Yubikey. It should display information about it, including the serial number.
You can also use a command-line tool if you have the Yubikey Personalization Tool installed:
ykpers -1 info
This will output detailed information about your Yubikey, including its serial number.
Conclusion
While Yubikeys significantly improve security, reusing them across multiple accounts introduces privacy risks. Using separate keys or slots is the best way to protect yourself from account linking and potential correlation attacks. Always be mindful of provider policies and monitor your account activity for any suspicious behavior.
The post Yubikey 2FA: Can Providers Track You? appeared first on Blog | G5 Cyber Security.
No Responses