DavidW wrote:
If you use a Yubicloud credential - either the one loaded into a new Yubikey at the factory or one you generate yourself using the personalisation tool - it is theoretically possible for Yubico to gather a list of which servers are submitting requests relating to that credential to the Yubicloud.
If Yubico keep records of the serial numbers of Yubikeys they supply, this might give them a hint as to who is using a factory provisioned Yubicloud credential, which contains the key's serial number. Other than that, Yubico does not have any way of tying that credential to an individual or a role unless the credential has been used on a Yubico service.
I've used my Yubikey Neo here on the forums, on the Yubico store, on the Yubico demonstration service and at LastPass. Yubico could tie that credential to me from my registration with these forums or their store, so they could work out I'm also a LastPass user.
I've got other Yubikeys that have not been used on a Yubico service, so all Yubico could do is work out which services that credential has been used with.
Yubico have no way of knowing whether or when a credential has been passed to someone else. For example, I could unregister a Yubikey from my LastPass account and give that Yubikey to a friend who used it for her LastPass account. Yubico would have no way of knowing I'd given that Yubikey away.
If you do not use Yubicloud, Yubico have no way of tracing the use of a Yubikey. I have an OATH-HOTP credential in slot 2 of my Neo that is nothing whatsoever to do with Yubico. Yubico has no way of knowing whether I hold that credential on a Yubikey or on a mobile phone app like Google Authenticator.
In simple terms, it isn't the use of the Yubikey hardware that might allow any sort of tracing, but the use of the credential(s) you use with the hardware.
Sorry to get back at you so late.
This answer doesn't really inspire me with great confidence in Yubico/yubikeys. As I understand, using a Yubikey (with the standard OTP) is basically a diary of which sites a specific user frequents.