> What happens when you lose or brake your security key, is your PC locked forever, or it will stay that way until they send you replacement?
You register two security keys (which both have a separate private key) and keep one of them somewhere safe. Then if your main one breaks you switch to key 2 to login and register key 3 as your new backup key.
This is done for e.g. Google's advanced protection program [1]
> I had a chat with a spokesman from a bank they had similar technology for a credit card, basically what he said is that key factor is time
Yeah, that sounds about right for a bank which will have a much different threat model than a login for a website or my computer.
> But if they can send you replacement, that means that "the company" (read government services) have sort off master key for your PC (they have fingerprint database)
They very likely can't. These devices essentially generate a private key that is never able to leave the security key without major hardware attacks. The fingerprint is also just stored on the device to be able to unlock this secret key. It is never transmitted to the computer or anywhere else and it also isn't used to create the private key.
Essentially this key implements WebAuthn [2] (and similar technologies) and only allows access to the secret key after the fingerprint has been verified.
There could of course be backdoors in the key generation algorithm (think dual ec drbg). Once your threat model includes actors capable of backdooring modern encryption hardware and algorithms they probably have much easier ways of getting to your data though.
You register two security keys (which both have a separate private key) and keep one of them somewhere safe. Then if your main one breaks you switch to key 2 to login and register key 3 as your new backup key. This is done for e.g. Google's advanced protection program [1]
> I had a chat with a spokesman from a bank they had similar technology for a credit card, basically what he said is that key factor is time
Yeah, that sounds about right for a bank which will have a much different threat model than a login for a website or my computer.
> But if they can send you replacement, that means that "the company" (read government services) have sort off master key for your PC (they have fingerprint database)
They very likely can't. These devices essentially generate a private key that is never able to leave the security key without major hardware attacks. The fingerprint is also just stored on the device to be able to unlock this secret key. It is never transmitted to the computer or anywhere else and it also isn't used to create the private key.
Essentially this key implements WebAuthn [2] (and similar technologies) and only allows access to the secret key after the fingerprint has been verified.
There could of course be backdoors in the key generation algorithm (think dual ec drbg). Once your threat model includes actors capable of backdooring modern encryption hardware and algorithms they probably have much easier ways of getting to your data though.
[1] https://landing.google.com/advancedprotection/
[2] https://webauthn.io