What are the privacy implications of FIDO adoption?

Question

Lately there has been a lot of buzz regarding the adoption of FIDO authentication and the removal of passwords from our lives. I am curious what privacy implications there may be for a FIDO centric future?

ecesena · Accepted Answer

I&rsquo;m not sure I understand the question. Are you asking if 2 sites can link the same user/hardware device? The answer is mostly no.FIDO essentially replaces a password (shared secret between client and server) with public key cryptography. The key pair used depends on the site, so 2 distinct sites will see 2 different public keys even if you use the same hardware device. So the 2 sites won&rsquo;t know, from the public key, that they&rsquo;re talking to the same user.Clearly if you use the same username/email, 2 sites can link you. That&rsquo;s the same with passwords and FIDO.

hsbauauvhabzb · Answer

- vendor lock in- vendors unnecessarily requiring you to provide proof of id- inability to easily replicate tokens- site enforced vendor requirements

lovelearning · Answer

For some situations, it helps to have multiple accounts on the same website while making their IP address and user-agent metadata different using Tor or similar.
I think that won't be easy anymore. Most people have just one phone. If the same phone is used for all accounts, it's easy to associate them to the same person. Technically, it may be possible to anonymize if the authenticator goes to great lengths to implement it. But we're talking about companies like Google here and I don't see them doing that.
(Happy to be corrected if I have misunderstood FIDO.)