I'm not really good at technical things, but I am curious. I'm trying, to think this through, how Ledger as Fido U2F work with coupled 3rd party website and how the secret private key stored on Ledger device is still kept secured during the whole process.

As far as I know, Fido U2F uses the same secret private key as the Ledger on Ledger 24 Words seed, which were generated at the beginning. When that 24 word seed is restored to another Ledger device, Fido U2F can work fine on this new device. That means, that there is a deterministic, consistent and universal set of encryption rules there, that say, that Fido U2F uses the secret private key, stored on ledger devices, to authenticate login to linked third-party websites.

I am a newbie and this is my train of thought: Because the secret private key is used to authenticate and send data back to the third party website, does that mean, that the third-party website has information about the encrypted version of my secret private key? Does that mean, that my secret private key really leaves my Ledger device through the process of Fido U2F? Is there a risk, that the encryption can somehow be bypassed? Is there a risk, that the third-party website uses the authentication data sent by Fido U2F, to revert to the original secret private key, stored in my ledger device?

I would like to hear further explanations on this matter.

Notify of
Inline Feedbacks
View all comments