>btw: "usually". Can you cite an implementation?

u2f has it: https://security.stackexchange.com/questions/224692/how-does...

>I don't see how you can prevent multiple people sharing access to one HSM.

Obviously that's out of scope unless the HSM has a retina scanner or whatever, but even then there's nothing preventing someone from consensually using their cousin's government issued id (ie. HSM) to access a 18+ site.

> Also, if the key is the same in hundreds of HSMs, this isn't fulfilled to begin with? Is this assuming the HSM holds multiple keys?

The idea is that the HSM will sign arbitrary proofs to give to relying parties. The relying parties can validate the key used to sign the proof is valid through some sort of certificate chain that is ultimately rooted at some government CA. However because the key is shared among hundreds/thousands/tens of thousands of HSMs/ids, it's impossible to tie that to a specific person/id/HSM.

> Is this assuming the HSM holds multiple keys?

Yeah, you'd need a separate device-specific key to sign/generate an identifier that's unique per-service. To summarize:

each HSM contains two keys:

1. K1: device-specific key, specific to the given HSM

2. K2: shared across some large number of HSMs

both keys is resistant to be extracted from the HSM, and the HSM will only use them for signing

To authenticate to a website (relying party):

1. HSM generates id, using something like hmac(site domain name, K1)

2. HSM generate signing blob containing the above id, and whatever additional attributes the user wants to disclose (eg. their name or whether they're 18+) plus timestamp/anti-replay token (or similar), signs it with k2, and returns to the site. The HSM also returns a certificate certifying that K2 is issued by some national government.

The site can verify the response comes from a genuine HSM because the certificate chains to some national government's CA. The site can also be sure that users can't create multiple accounts, because each HSM will generate the same id given the same site. However two sites can't correlate identities because the id changes depending on the site, and the signing key/certificate is shared among a large number of users. Governments can still theoretically deanonymize users if they retain K1 and work with site operators.