[kfreds]

1. The hardware contains a UDS (unique per device secret) which can only be read once per boot cycle.

2. Firmware in ROM does unconditional measurement of the first mutable boot stage, which is loaded from the host, over USB.

The KDF used for measurement is Blake2s(UDS, Blake2s(application), USS).

Note that when I say hardware I mean FPGA hardware design.

[xani_]

Again, what stops malicious app B from just taking the A's id and presenting it to device ? token doesn't know who sent USB packet

[kfreds]

I'm not sure I understand your question.

If you're asking about applications running on the device (Tillitis Key) the answer is measured boot. You can read more on tillitis.se.

[stavros]

I think the app is installed on the stick itself, kind of like how you install coin apps on a Ledger.