(no title)

FIDO2/WebAuthn don't have anything to do with user management from an application architecture perspective. They leave all the work of combining the attestation credentials and your application's concept of a "user" to the application.

This means you can (and should as a designer) have multiple sets of credentials for one "user", multiple distinct credentials that you (the user) can register to multiple separate "user"s in the application, etc.

I believe all FIDO2 authenticators (like hardware keys) should generate a new hardware / key ID for each request for pairing a new credential. I know that my key does that, when I was working on implementing WebAuthn for $DAYJOB.

https://developers.yubico.com/WebAuthn/ is a good jumping off point.

FIDO2 resident keys (the thing people are now calling passkeys) allow for multiple credentials for a single site. If you have a device that supports resident keys you can try this for yourself on https://webauthn.io.

There is also no way for a site to know if two sets of credentials belong to the same physical hardware device or not. Sites can request the attestation certificate, but that is not unique per device (the spec says the attestation cert should be shared by at least 100,000 devices). If you want to see the attestation cert for a fido(2) device, I made a little tool that will show it to you: https://what-the-fido.sanford.io/

FIDO/WebauthN are generally "the good guys" when it comes to privacy bc "bring your own secure hardware key" is always an option. I'm kinda torn over the "use your cellphone as a key" approaches as not privacy friendly but we can't actually prevent them (you can always simulate a key).