[HN Gopher] How to Yubikey
___________________________________________________________________
How to Yubikey
Author : kmille
Score : 378 points
Date : 2023-03-10 08:04 UTC (14 hours ago)
(HTM) web link (debugging.works)
(TXT) w3m dump (debugging.works)
| toastal wrote:
| Reminder: Yubico doesn't have a monopoly on security keys. Make
| sure your software/tutorials support the open-source alternatives
| like OnlyKey and NitroKey.
| fsflover wrote:
| Or Librem Key.
| nyolfen wrote:
| do any other keys have feature sets on par with yubikeys? last
| i checked they were ahead by a mile, the others i looked at
| were just fido2 keys
| [deleted]
| password4321 wrote:
| Not really keys, but hardware wallets like Trezor or Ledger
| can do a lot of this for ~twice the price.
| jrm4 wrote:
| If they don't, that's more of a reason to use the OTHERS? You
| really don't want a monoculture here.
| nyolfen wrote:
| i would be happy to use the OTHERS if they were comparable
| products
| evil-olive wrote:
| so far, Yubikeys are the only ones I've found that support
| both FIDO2 / WebAuthn as well as GPG smart card functionality
| for use with pass(1).
|
| they also support ed25519 FIDO SSH keys, whereas all the
| cheapo FIDO keys I've tested only support ecdsa-nistp256, but
| that's a relatively minor difference.
|
| Nitrokey 3 claims that GPG smart card support is planned in
| an upcoming firmware update. once that's released I may bite
| the bullet on shipping costs and order one. 55EUR shipping to
| the US for a 49EUR key is cost-prohibitive for the most part.
| meepmorp wrote:
| Also, yubikey works as a PIV smartcard
| palata wrote:
| > Nitrokey 3 claims that GPG smart card support is planned
| in an upcoming firmware update. once that's released I may
| bite the bullet on shipping costs and order one. 55EUR
| shipping to the US for a 49EUR key is cost-prohibitive for
| the most part.
|
| They have been claiming many things. I pre-ordered a
| Nitrokey 1.5 years ago, still haven't received it, and
| apparently during this time they have not implemented much.
|
| https://www.nitrokey.com/blog/2023/nitrokey-3-status-
| update-...
| hnarn wrote:
| Mullvad VPN has announced that their sister company
| "Tillitis"[1] is working on a really interesting key and it
| looks like it's releasing pretty soon (2023-03-23).
|
| From the website:
|
| >The TKey(tm) is a new kind of USB security key inspired by
| measured boot and DICE.
|
| >TKey(tm)s design encourages developers to experiment with new
| security key applications and models in a way that makes
| adoption easier and less risky forend-users.
|
| >TKey(tm) is and always will be open source hardware and
| software. Schematics, PCB design and FPGA design source as well
| as all software source code can be found on GitHub.
|
| [1]: https://www.tillitis.se/ -- also "tillit" is Swedish for
| "trust" and "mullvad" is Swedish for "mole" (the animal).
| manmal wrote:
| Safari seems to have its own implementation of a virtual
| security key also. Before I plugged in my Yubico recently,
| Safari asked me for my fingerprint as a fallback.
| ojkelly wrote:
| That's part of WebAuthN[0]. Some services like AWS will not
| allow virtual U2F keys to be registered, but most places do.
|
| [0] https://developer.mozilla.org/en-
| US/docs/Web/API/Web_Authent...
| lxgr wrote:
| Not exactly - WebAuthN is the browser/JavaScript API, which
| can be provided by both platform authenticators (such as
| Safari on iOS and macOS, Chrome on Android and macOS etc.)
| and hardware/"roaming" CTAP2-compliant authenticators.
|
| WebAuthN specifices the browser API, CTAP2 specifies the
| interface between an authenticator device/software
| implementation and a browser or other client, and FIDO
| specifies the behavior of the authenticator itself
| (including certification of attestation-capable
| authenticators).
| zikduruqe wrote:
| It works for Safari.
|
| For AWS, I use Firefox and a FIDO key, and have a backup
| MFA as Safari using U2F.
| manmal wrote:
| If Secure Enclave is as secure as Apple claims it to be,
| Safari's option might actually be the safest one. Of
| course you can't use that on anything other than a Mac or
| iPhone, so in some situations you need another key.
| vladvasiliu wrote:
| It's a bit more specific than that, no?
|
| You can't use Safari's option on anything other than
| _that particular_ Mac or iPhone. It 's my understanding
| that you can't extract the secret key from the secure
| enclave.
| manmal wrote:
| I don't know how this certain feature is implemented. But
| Pass Keys are synced via iCloud and the private key never
| leaves any Secure Enclave in unencrypted form. Maybe
| these virtual security keys are different in that they
| are never synced via iCloud, but principally they could
| be.
| hsbauauvhabzb wrote:
| I'm unclear as to why we can't use some sort of tpm for
| webauthn and distributed encrypted passwords for
| synchronisation.
|
| Hell, even software based implementations which force domain
| checking would solve 99% of the problem...
| ilyt wrote:
| Technically, we can _just_ use client certs, YK supports them
| (via smartcard emulation, you can also use that to auth via
| SSH), just it wasn 't really there, ever, on UI front...
| sedatk wrote:
| or SoloKey
| ptman wrote:
| Unfortunately my solokey2 is buggy even with latest firmware.
| Hw is much better than solokey1.
|
| But there are indeed alternatives to yubikey. Anyone have
| experience with https://www.token2.com/shop/product/token2-t2
| f2-fido2-and-u2... ? 128 resident keys is much better than
| 25/50
| sowbug wrote:
| Unfortunately SoloKey doesn't work as an OpenPGP smart card,
| which means it's not a real substitute for a Yubikey. I
| haven't had any luck with resident FIDO2, either.
|
| The Solo team believes that other functionality such as PIV
| overlaps with GnuPG use cases, so that OpenPGP isn't a
| priority, and their work on that functionality appears to
| have stopped in 2021. That's too bad, because OpenPGP's
| network effects far outweigh its pure functionality, which
| means a technical substitute isn't a substitute.
|
| https://github.com/solokeys/openpgp
| aareet wrote:
| I've found Solokey to be unreliable. Recently, for example, I
| learned that the Solokey 2 can't be added to iCloud as a
| security key
| pmw wrote:
| I have multiple Solo Key 2 devices. (I bought a Kickstarter
| 4-pack.) I use one of them regularly, and I successfully
| added it to iCloud as a security key. It has been 100%
| reliable.
|
| In August 2022 they released a major firmware update. Maybe
| that addressed the iCloud incompatibility and reliability
| issues?
| lakomen wrote:
| Your paranoia is getting out of hand, seriously. 2FA here, OTP
| there. Idk about you, maybe you do have such sensitive data that
| you have to double guard everything, I and the usual average guy
| doesn't.
|
| Why do I care? Because this craze has already reached the real
| world. Amazon requiring 2FA on deliveries. Wtf is wrong with my
| passport or other document? Nothing. Now I have to be physically
| present and recite some fucking code they sent my via fucking
| email or app if installed.
|
| I can't log in anywhere anymore without having to double prove
| that the password and email is indeed mine. STOP THIS MADNESS
| ALREADY!
| ryokeken wrote:
| where does amazon requires 2fa for deliveries or be present for
| it? in nj/ny doesn't seem to happen
| wink wrote:
| My World of Warcraft account had been secured by 2FA 10y
| earlier than my bank account.
|
| The good thing is, the launcher app on _my_ PC got the feature
| (a few years ago) that I only need to use the actual 2FA fob
| once every few months, not every time I login. It protects me
| against the most common case (someone logging in with my
| account/stealing my account) while not getting in the way at
| all. Unless someone breaks into the apartment, but I'll take
| that risk.
|
| Still wondering what's wrong with most orgs not even offering
| the user the choice of "no 2fa/2fa everytime/whitelist this one
| device for $period".
| bombcar wrote:
| The whitelisting is really nice, and it's expanding more and
| more. I like "login once per device".
| ioseph wrote:
| My work recently changed the password length requirement to 16
| characters, 2FA now requires typing in a number and you
| automatically get deauthenticated every 12 hours.
|
| I really feel there's got to be diminishing returns for such
| policies
| manmal wrote:
| I really hope PassKeys will be implemented everywhere soon.
| sam0x17 wrote:
| Other than Google Titan and Yubikey, are those really the only
| two players? I find it concerning that there is this whole
| ecosystem built around security keys, but only two companies
| making them. That said I currently use yubikeys for all my stuff,
| it just occurred to me its odd there isn't a bunch of companies
| making these :/
| ethanzh wrote:
| SoloKeys[0] are one alternative
|
| [0] https://solokeys.com/
| lxgr wrote:
| There are many others.
|
| The list of FIDO certified products alone is 39 pages long
| here: https://fidoalliance.org/certification/fido-certified-
| produc...
|
| In addition to that, there are open source implementations for
| Java Card [1], open hardware efforts [2] and much more.
|
| [1] https://github.com/darconeous/u2f-javacard
|
| [2] https://github.com/google/OpenSK
| TacticalCoder wrote:
| A friend of mine and all his colleagues are using OnlyKey
| (pricey). I use a Ledger Nano S for U2F/webauthn. These two are
| requiring a PIN to register/auth.
| kjrose wrote:
| Someone needs to do this but for a windows environment. The
| documentation is a disaster in that realm. Took me forever to get
| it working properly with active directory.
| vifon wrote:
| > I don't see any use case or security benefits by using the
| static password feature. Even if you enter a password manually
| and concatenate it with the password of the Yubikey, a keylogger
| still gets both parts (assumption: You don't reuse passwords).
|
| If keylogger is what you're defending from, yes, it doesn't help.
| And in this scenario you've probably already lost.
|
| On the other hand, it makes a large portion of the password
| immune to video-recording you typing the password in. Yes, it's
| technically trivial to then steal your Yubikey, extract the
| static password and combine it with the recorded one, but these
| are still quite some extra steps.
|
| My point is, if a particular service or application doesn't
| support anything more refined, using a static password as a
| pepper[0] is perfectly fine and still an improvement over not
| doing so.
|
| [0] https://en.wikipedia.org/wiki/Pepper_(cryptography)
| sargun wrote:
| The static password feature would actually be perfect with a
| few small alterations.
|
| I use Apple's Advanced Data Protection product. This product
| gives you a 64-character code you must know. I am probably not
| capable of committing this code to memory.
|
| I wish I could tell my Yubikey this code, and it would save it.
|
| ---
|
| Now, as a US citizen, it is very hard for the government to
| compel me to disclose a password or a pin code. If the static
| password feature required a simple password (say 6 characters),
| with reasonable brute force prevention, it'd make it so that I
| have a way to protect myself. On the other hand, if it is not
| pin protected, there is nothing preventing the government from
| getting a search warrant for the Yubikey itself and using that.
| atoav wrote:
| Also: something you _don 't know_ is also something you cannot
| tell the person threatening you with the 5$ wrench1
|
| 1: https://xkcd.com/538/
| PaulWaldman wrote:
| Aren't you always vulnerable in this scenario?
|
| If you have your device in your possession, you also likely
| have your key in your possession in order to use your device.
| thesuitonym wrote:
| If your threat profile really includes the possibility of
| getting hit by a wrench, you can devise a means of
| destroying the key quickly.
| bombcar wrote:
| Also if the wrench is a consideration, you really need to
| consider at what point you die rather than reveal.
|
| And note that you may die even if you want to reveal;
| especially if you've setup a system that prevents you
| from revealing (two person keys, etc).
| aYsY4dDQ2NrcNzA wrote:
| My YubiKey seems pretty rugged, which is why I feel okay
| carrying it on my (physical) keychain.
| nextlevelwizard wrote:
| I like the idea of securitykeys, but having to drop 100EUR for a
| key (since in my opinion you are playing with fire if you don't
| buy a backup) feels like excessive and then having to worry that
| I remember to take my securitykey with me everywhere...
|
| Yeah, yeah, security vs. convenience is always the issue, but so
| far I've just selected convenience.
| stavros wrote:
| Buy any FIDO2-compatible key for 15-20 EUR, they all do the
| same thing (or use TouchID if you're using a Mac, but you'll
| want backup for that).
| hummus_bae wrote:
| [dead]
| joshvm wrote:
| You can also use the cheap ones, they work just as well for
| consumer purposes: https://www.yubico.com/ch/product/security-
| key-nfc-by-yubico...
|
| The only irritating bit is when you don't have USB-A (there is
| no A+C stick). But with NFC at least you can use your phone.
|
| I've yet to find a place (in my life anyway) where FIDO isn't
| accepted. Secures the main things like Google, Namecheap, etc.
| lxgr wrote:
| That's one reason why I prefer USB-A security keys (it's just
| more ubiquitous at this point, and A-to-C adapters are
| readily available, while the reverse is out of USB spec).
|
| The other is that USB-A has all moving parts in the socket
| (vs. in the cable-side plug), which presumably makes a USB-A
| key more reliable.
|
| I've had USB-C keys break on me mechanically, so having an
| A-to-C adapter with moving parts on both sides seems like the
| best of both worlds (durable security key, durable device-
| side port, easily replaceable adapter).
| Hesinde wrote:
| I solve the issue of forgetting my key by having a key
| constantly attached to my keychain with a keychain clip except
| when its in use with my notebook. This means that I have three
| keys - one on my keychain, one on my main computer, and one for
| backup.
|
| Also I have my passwords synced to my phone, which could serve
| as a mobile backup in a pinch. I currently have it configured
| to require the key, but I should probably change that now that
| I think about the possibility of losing the key.
|
| Using the key is more convenient to me than not using it,
| because it saves me from having to remember and enter a long
| master password.
| sverhagen wrote:
| >a backup
|
| >convenience
|
| I always wonder how often someone gets into a crisis because
| their Yubikey breaks while they're at, say, a conference (ie.
| far away from the backup, be it another key, or access to
| recover codes). I recon they can just break when plugged into a
| laptop that takes a dive.
| donkeyd wrote:
| Most people have only their phones, which can also break. But
| some people only start thinking about that stuff when they
| look at alternatives like the Yubikey.
|
| > they can just break when plugged into a laptop that takes a
| dive
|
| So can the laptop at a conference. Or anything else really. I
| just remove my Yubikey after use and carry it in my wallet
| when not in use. Sure, I can lose my wallet, but I have
| multiple back-up options for the Yubikey, I mostly use it for
| convenience.
| goodoldneon wrote:
| YubiKeys are more fragile than phones. One time a drop of
| water got on my plugged-in YubiKey and it stopped working
| for 2 days
| doubled112 wrote:
| I don't understand this perspective.
|
| I dropped my phone one time and could never unlock the
| screen again. It shattered into a dozen pieces.
|
| I've dropped my YubiKey many times with no damage. It has
| no moving parts. No glass. No screen. A tiny OS. Not much
| to go wrong.
| fullstop wrote:
| Absolutely this. My yubikeys have been on keychains for
| years and all still work. These keys are occasionally
| dropped, thrown, have gotten wet, fallen into the sand,
| and the yubikeys are fine.
| donatj wrote:
| If it was an Android, you can actually plug a mouse into
| it. I used this to backup a bunch of stuff after I broke
| my screen and touch no longer worked.
| doubled112 wrote:
| You couldn't see it either, but I suppose I could have
| fumbled around a bit blind. Good call.
|
| My wife and I have had really good luck buying matching
| phones.
|
| That time one had stopped charging and was replaced with
| a super-budget phone, so I just swapped screens, backed
| up/exported what I needed, and moved on.
| nextlevelwizard wrote:
| In normal life losing access to your phone won't lock you
| out of everything. You still have all your other devices
| you can use AND you can always just walk into store and buy
| yourself a replacement and download your phone back from a
| backup.
|
| Same with laptops. If you go to a conference and your
| laptop breaks. You can just go to nearest store and buy a
| new one. It will take couple hours, but you'll be up and
| running again.
|
| With security key if you lose it you lose access
| immediately to your stuff and you probably can not get a
| new one with in 24 hours even if money wasn't an issue.
| Also after you get the key there is no way to authenticate
| yourself to the key in a way that you can just make it a
| copy of your previous key.
|
| Wallet is the best example. If you lose your wallet you
| need to kill your credit cards and get a new ID. However
| this does not lock you out of anything. You can go to your
| bank and take out whatever amount of money you need and
| order a new card, this will be inconvenient for about week.
| With your ID it depends on the schedules. However there is
| clear path to recovery.
| macNchz wrote:
| > With security key if you lose it you lose access
| immediately to your stuff and you probably can not get a
| new one with in 24 hours even if money wasn't an issue.
|
| If you lose it while traveling and have a backup at home
| you can likely have someone overnight the backup to you
| in pretty close to 24h. You also only lose access to
| stuff that requires the key every time you access it, all
| but the most sensitive services will keep you logged in
| without the key for a period of time.
|
| > Wallet is the best example. If you lose your wallet you
| need to kill your credit cards and get a new ID. However
| this does not lock you out of anything. You can go to
| your bank and take out whatever amount of money you need
|
| In the US at least you'll find the bank wants to see your
| ID to let you withdraw cash, and businesses are becoming
| less friendly to paying cash. Though, like a security
| key, many people have a spare id at home in the form of a
| passport.
| eropple wrote:
| I can still get into "life stuff" without my Yubikey.
| There are increases in risk to doing so (TOTP requests
| have decreased resistance to phishing attacks versus
| webauthn, for example), which is why I don't do that
| generally, but the fallbacks are not a serious problem.
|
| I would have to lose/break my phone and my laptop (both
| secured via Apple's stuff, not my Yubikey) and my Yubikey
| to be materially locked out of things. And, at that
| point, my password vault is inaccessible to me and I have
| much bigger problems.
|
| The only thing I _cannot_ do without a Yubikey is SSH
| into systems, and that is, for me, a worthwhile thing to
| break-glass on.
| krupan wrote:
| Yubikey hardware is surprisingly robust. Mine has been on my
| physical keychain for years, getting thrown around and banged
| up and it's fine
| dale_glass wrote:
| I've been using them for a long time and so far it's never
| happened, but yeah, the USB A version looks potentially
| vulnerable.
|
| The USB C version looks more solidly made.
| vifon wrote:
| > Yeah, yeah, security vs. convenience is always the issue, but
| so far I've just selected convenience.
|
| In terms of the SSH and GPG keys which I use multiple times
| every single day for me this _is_ convenience. I have my keys
| always on my person and they are tied to me, and not a
| particular machine. Whether it 's my laptop, my desktop or my
| phone, I have a single pair of keys that are virtually
| impossible to steal even on a so-so trusted device like a
| proprietary phone.
|
| When you start considering a security key as a portable
| credential storage to use across all your machines, it becomes
| actually more convenient, not less.
| Arch-TK wrote:
| The cost is not really that enormous when you consider these
| things are pretty bulletproof, I've had one for about 10 years
| on my keychain. That's EUR5 per year. I am currently waiting
| for NitroKey 3 to have non-alpha OpenPGP SC support and will
| likely buy one as soon as it's available (although maybe I
| should buy one now to support development and maybe have a play
| around myself).
|
| You don't need a backup unless you don't trust your hardware at
| home, just store backup keys on some trusted host, or offline
| on some storage media, you then only need to buy a new security
| key whenever you lose yours. Even so, if you DO decide to go
| the backup route, the backup is not likely to get list and very
| likely to last much longer than 10 years.
|
| With security keys which have NFC capabilities, you can set
| things up so that accessing any website from your phone is only
| a tap away (you need to enter the pin before hand, or every
| time, obviously choice of convenience here is up to you but if
| your phone itself is secure enough then maybe this isn't such
| an issue to keep the pin cached while the phone is on).
| agotterer wrote:
| I've carried a USB-A Yubikey in my pocket for 7 years and it's
| never broke. I also keep one time login passwords encrypted and
| available in the cloud in the event I lose the key.
| lxgr wrote:
| I've had one USB-C key break on me in the past, and my
| replacement is already showing signs of wear. Fortunately
| it's not my only way to get back into my accounts if it
| breaks.
|
| My (sample size 2) theory is that USB-C isn't the best
| connector for a security key, since it intentionally moves
| the wear-prone part (i.e. the dust-collecting and mechanical
| spring involving side) from the port to the cable.
|
| USB-A is completely solid state, and most security keys use
| the "flat" variant of the plug that further reduces the
| chance of mechanical damage and/or collecting dust.
| vladvasiliu wrote:
| For a security key, sure, it's better for that side of the
| USB port to be more resistant.
|
| But on the PC side, my old HP laptop used to have extremely
| tight USB A ports. I'd have to pull ridiculously hard on
| cables to disconnect them. Now the ports are fairly loose,
| to the point that my external drive sometimes
| disconnects...
|
| The yubikey kinda dances around in that port. Luckily, I
| don't move the laptop too much, so the key tends to stay
| put, but it sometimes does lose contact out when I need to
| touch it often.
| fullstop wrote:
| You can buy dust covers for USB-C male connectors.
| lxgr wrote:
| Sure, but that doesn't help against the springs
| mechanically wearing out, or mechanical damage bending
| the hollow part of the USB-C connector.
|
| Looking at all of my USB-C keys, most of them get visibly
| bent inwards after a couple of years of carrying them in
| a pocket on a keychain with other keys.
|
| It's hard to imagine a USB-A key breaking in the same
| way. The only thing that could conceivably break it is
| the PCB itself snapping, or possibly static electricity
| (but I don't know how much better USB-C keys would fare
| in that regard).
|
| So given that I can buy 2-3 A-to-C adapters for the price
| difference between a USB-A and a USB-C key, why take the
| additional risk?
| fullstop wrote:
| Yes, I have both an A and a C in use. If I could keep an
| A-to-C adapter on my keychain that would be a good option
| as well.
|
| Type A is more durable, for sure.
| hot_gril wrote:
| Flat USB-A security keys are nice. But I've yet to subject
| mine to the bus test.
| ptman wrote:
| https://www.token2.com/shop/product/fido-bundle-2-x-fido2-us...
| ? or https://www.token2.com/shop/product/token2-t2f2-typec-
| fido2-... , but there's no 2x bundle.
| ixwt wrote:
| If you setup a domain to use Cloudflare, and then sign up for
| their zero trust system, you can get a code to get up to 4
| yuibkey's for $10 each.
| jrib wrote:
| Is this still the case?
|
| I came across this blog post about a similar offer:
| https://blog.cloudflare.com/making-phishing-defense-
| seamless...
|
| but it now states:
|
| > UPDATE: This offer expired on January 3rd, 2023 at 8am PST.
| thesuitonym wrote:
| Are these the good Yubikeys or the basic FIDO-only models?
| hot_gril wrote:
| Same, I only use the key when something forces me to, cause I
| trust TOTP authentication apps even less. (I don't mean
| trusting that nobody hacks it, I mean trusting that I don't get
| locked out.)
| bobse wrote:
| What if I lose this yubikey? This is stupid. My passwords are
| locked inside of my head.
| Biganon wrote:
| All of them??
| djha-skin wrote:
| It's pretty annoying having to touch my yubi key every single
| time. I find KeePassXC + TOTP much more user and disaster
| resilient. If I lose my yubikey, I'd better have a physical
| backup copy. If I lose my keypass device, my file is just up on
| Dropbox. I find the value proposition is outweighed by the risk
| of disaster for yubikey personally, and keepass doesn't make me
| touch it every time so it's much more convenient.
| InCityDreams wrote:
| >If I lose my keypass device, my file is just up on Dropbox.
|
| I've considered keeping my keepass file on the cloud...still
| wary.
| [deleted]
| mfontani wrote:
| > You can add 32 of these secrets to a Yubikey device.
|
| I have 45 of those currently in my Authy account, which syncs on
| two phones for redundancy...
|
| I'd love to use a Yubikey for this, but I'd have to split those
| accounts across multiple yubikeys, which would be quite a
| headache to maintain, especially if one wants redundancy...
| jonas-w wrote:
| For full disk encryption, if you use systemd and not another init
| system, i'd also recommend systemd-cryptsetup, it's already
| installed on your machine if you have a relatively new systemd
| (at least 248). With systemd-cryptsetup you can use fido2, and
| your normal fido2 pin, to unlock your LUKS drive.
|
| This also works with the YubiKeys "Security Key" series, that
| only have fido2 and no otp/chalresp.
| kccqzy wrote:
| I actually considered that setup but decided against it. The
| thing is, if I did this, I would eventually succumb to
| convenience and would _plug the key into the machine at all
| times_. But that defeats the purpose: if a thief steals my
| computer they can just tap the key rather than know my password
| to unlock my disk.
| jonas-w wrote:
| You normally have and you should have a fido2 pin, which is
| just a password. A thief would need your laptop, your
| security key, and the fido2 pin.
|
| Here is an article (from yubico) about fido2 pins:
| https://support.yubico.com/hc/en-
| us/articles/4402836718866-U...
| JadoJodo wrote:
| The 32 TOTP limit was what killed it for me as a replacement for
| Authy/Google Authenticator/etc. I know Yubikey came out before
| TOTP really hit its stride, but 32 was really short-sighted.
| fullstop wrote:
| I thought so as well, but I'm still not nearing that limit and
| I don't think I will as more places offer FIDO2/WebAuthN.
| privacyking wrote:
| Are there any android apps that support FIDO2 based SSH keys?
| sheerun wrote:
| I really would like to use it, but without ability to backup it,
| I don't wanna. I've read some time ago Yubikey of some other
| company showed initial spec, but I never heard any followup, I
| don't remember the link. For now I'm using TOTP but it's a chore.
| Salesforce Authenticator has nice idea with custom push-based
| protocol, but it's not running on dedicated hardware. I think
| ESP32 S3 has hardware potential to act as security has as it has
| e-fuses and has enough umph for cryptography, it would be
| interesting option to see (maybe with optional wifi/bluetooth
| faraday cage on it)
| lxgr wrote:
| > ESP32 S3 has hardware potential to act as security
|
| You'll probably want a tamper-proof MCU instead (i.e. the type
| used on payment smart cards and SIMs), if physical access is a
| concern to you at all.
|
| > without ability to backup it
|
| Your backup can be another security key. If you are concerned
| about design flaws (of the reliability/durability kind, not
| security), you can get FIDO-certified keys from many vendors
| other than Yubico these days.
| EvanAnderson wrote:
| I'm with you re: backups. The whole "just have a backup key"
| methodology seems tediously manual and fraught with
| opportunities for error/laziness.
|
| I've been looking into OnlyKey[0] recently. It seems to have
| sensible backup functionality at least.
|
| Using something The Mooltipass[1] (USB HID password vault w/
| TOTP support that has a sensible backup strategy) comes closest
| to what I want, but not quite close enough. (I'm disenchanted
| with it because it seems to lean heavily on an app on the host
| computer for functionality.)
|
| [0] https://onlykey.io/
|
| [1] https://www.themooltipass.com/
| TacticalCoder wrote:
| > I really would like to use it, but without ability to backup
| it
|
| I totally know the feeling. I was there, I don't believe for a
| second that enrolling _another key_ is an acceptable option and
| I solved that problem in a way that works for me.
|
| You _can_ clone your own security key if you 're willing to
| deal with the problem that now becomes: _" How do I safely
| store the secret allowing to restore another security key?"_.
|
| I'm using paper seeds, split over _several countries_. A $5
| wrench attack on my mom to have her open her safe won 't be
| sufficient. The attacker would need to $5 wrench another half
| too, which my mom doesn't have.
|
| Ledger Nano S (supposedly a cryptocurrency hardware wallet but
| I only care about the U2F support) has a U2F "nano app"
| installable on the key which shall do U2F (and webauthn, which
| is backward compatible from the device's point of view... It's
| not clear to me if it's going to work as a "passkey" too or
| not). They cost $79 or something.
|
| They're using these kind of secure chips from
| STMicroelectronics: https://www.st.com/en/secure-
| mcus/st31h320.html
|
| Ledger kinda knows what they're doing: their CTO was part of
| the original FIDO spec group.
|
| Buy two of them, initialize them with the same seed. Make sure
| to secure your paper seed.
|
| In my case the issue of "cloning and backuping a U2F/webauthn
| key" is solved. But it's a trade off: now I have to deal with
| storing the paper seed allowing to restore the U2F key.
|
| In exchange for that hassle I get U2F everywhere (SSH being a
| big, big, big one) _and_ my security keys are protected by a
| PIN (three wrong PINs and they reset to factory default). And I
| don 't leave with the constant fear of losing my security key
| and being locked out of all my services / having to reset
| everything.
|
| As an added bonus that Ledger Nano S has a tiny device telling
| you if you're registering _or_ authenticating and it 's telling
| you where you're registering/authenticating. It becomes very
| hard to trick you into registering/authenticating to a bad
| party.
|
| Also for me to be really in trouble I'd need to both lose the
| ability to restore/clone another key _and_ I 'd need to lose
| access to the _two_ security keys that are configured with the
| same seed.
|
| That is highly unlikely.
| sowbug wrote:
| Have you tested this solution? Unless something has changed
| since the initial spec, each handshake includes a usage
| counter, which the relying party sees and is supposed to
| remember. If the usage counter ever fails to increase, then
| that means something weird happened (like two keys acting as
| one), and the site can reject you.
|
| There are crude ways to deal with this issue, which are fine
| if you intend for the second to be used only in case of
| emergency.
| Mindless2112 wrote:
| Here [1] is Yubico's draft WebAuthn recovery ("backup
| authenticator") extension spec, which is possibly what you're
| thinking of.
|
| [1] https://github.com/Yubico/webauthn-recovery-extension
| dale_glass wrote:
| The backup plan is mostly having a backup key. The whole point
| is that there's a secret inside the key that can't be stolen,
| and that means there's no way of exporting it either. Most
| services I deal with allow registering multiple keys. Some like
| Paypal don't, but allow having both a key and TOTP so you can
| use TOTP as a fallback.
|
| For convenient TOTP, you can try this one:
| https://www.themooltipass.com/
|
| It mostly acts as a keyboard (bluetooth or USB). It supports
| TOTP, and will type it out for you. It has an internal battery
| and for TOTP the clock is set by the management application for
| it.
| xaduha wrote:
| > I really would like to use it, but without ability to backup
| it, I don't wanna.
|
| > For now I'm using TOTP but it's a chore.
|
| TOTP is your backup, I'd say most sites don't allow WebAuthn
| without TOTP enabled first.
| twawaaay wrote:
| Missing from all this: a dedicated machine running Linux to set
| everything up. I have an old beat up Thinkpad that I use
| exclusively for critical stuff that would really hurt me if
| somebody hacked.
|
| You can have one for less than the price of Yubikey so there
| really isn't much excuse.
| lxgr wrote:
| What's the benefit of that?
|
| The entire point of using a security key is that its security
| model can survive a point in time compromise of the device you
| are connecting it to, i.e. a compromise only persists as long
| as a (hopefully short-lived) session. But if a single session
| compromise is unacceptable to you, by the same token a security
| key can't protect you against that.
|
| The only instance where a "more secure" computer might be
| necessary that I can think of is using a GPG smartcard (which
| the Yubikey supports) and importing a software key to that, as
| opposed to generating the key on the smartcard itself.
| twawaaay wrote:
| Whatever security system you have there is always a problem
| of original sin. This is when attacker happens to be present
| and prepared to hijack your initialisation process.
|
| If an attacker has unrestricted access to your laptop or
| phone and you are trying to use this device to set up say
| your AWS root account, no amount of Yubikeys will help you.
| They can essentially craft everything you are seeing on the
| screen and intercept everything you are typing in. What they
| do with it only depends on their imagination but with the
| advent of AI powered tools I expect hacking tools are going
| to get much "smarter" very quickly.
|
| A coworker lost all money he saved for many years for the
| downpayment on his apartment. He used his laptop to manage
| his banking and his phone to receive SMS messages. He logged
| in to his banking from his phone _JUST ONCE_. That was
| enough. Apparently, he had some kind of malware on his phone
| that was waiting in hiding for this exact occasion and the
| moment he logged in it intercepted the credentials and was
| able to transfer money out of his account with the codes he
| got on the same phone. It wasn 't even targeted attack. And
| it was 10 years ago.
|
| And as far as Yubikeys I would suggest they matter less than
| people think. They are useful concept but only if services
| providing MFA capability implemented it correctly. And as far
| as my experience goes, no large service I use at the moment
| implements this correctly.
|
| The biggest problems are usually defaulting to SMS/email code
| if you indicate you've lost your Yubikey. Even for services
| that don't do this, there is usually some way to recover
| access anyway.
|
| I have lost both my root password and two my yubikeys to my
| AWS account. Guess what, couple phonecalls later I got my
| access back. It was stupid for me to loose my credentials
| (but it was empty account at that time) but it is not
| inspiring confidence in me that anybody with just the access
| to my phone number and possibly couple scraps of personal
| information can recover full access.
|
| My strategy right now is to compartmentalise critical
| services that I use -- use separate device to access them,
| never use my other devices for this, use separate email and
| separate phone numbers. Never reveal to anybody the email and
| phone number. Never put anything that could create any
| interest for those services, emails, phone numbers, etc.
| Yubikeys are nice gimmick (that I use daily) but I honestly
| don't see them as doing much for my security.
| lxgr wrote:
| > If an attacker has unrestricted access to your laptop or
| phone and you are trying to use this device to set up say
| your AWS root account, no amount of Yubikeys will help you.
|
| They will absolutely help against a persistent compromise
| of my accounts. For example, I can check all registered
| security keys from a different machine and network.
|
| If only the ones I expect are present, I can click the
| (hopefully present) button "log out all sessions on all
| devices" and be reasonably certain that, at least from that
| point in time, nobody else has account access. And I can
| make sure that all of the ones present are in fact my keys
| by trying to authenticate with all of them.
|
| Registering a new key will hopefully also trigger a big
| scary warning email/SMS/fax to me and/or additional
| security contacts.
|
| > Even for services that don't do this, there is usually
| some way to recover access anyway.
|
| As a user, I sure hope there is - it would be genuinely
| frightening to know that my account is unrecoverable if I
| lose all security keys linked to it! Hopefully, that
| process involves a lot of red tape and not just an SMS-OTP
| or sending a blurry scan of my birth certificate to an
| e-notary several timezones away.
| twawaaay wrote:
| > Registering a new key will hopefully also trigger a big
| scary warning email/SMS/fax to me and/or additional
| security contacts
|
| If your devices are compromised you are not guaranteed to
| receive any emails or SMS. There are malwares known to
| remove emails and messages either directly or by running
| as man in the middle or by intercepting and modifying the
| UI.
|
| > As a user, I sure hope there is - it would be genuinely
| frightening to know that my account is unrecoverable if I
| lose all security keys linked to it!
|
| As a professional I am reading it the following way:
|
| "The access to the account can be regained without the
| super duper secure Yubikey fleet you have."
|
| Therefore it is as secure as that super expensive door
| lock when there is an open window right next to it.
|
| > Hopefully, that process involves a lot of red tape and
| not just an SMS-OTP or sending a blurry scan of my birth
| certificate to an e-notary several timezones away
|
| But that just does not happen. This would be super
| expensive and companies would rather limit their
| involvement with individual people to save on support
| cost. All I got from AWS was two phonecalls from a tired
| guy with obvious Indian accent.
| vermon wrote:
| Since it mentions age and rage: there is also dage, a Dart
| implementation https://github.com/Producement/dage . Also there
| is age-yubikey-pgp which uses dage to allow you to use X25519 for
| file encryption/decryption https://github.com/Producement/age-
| yubikey-pgp
| imiric wrote:
| Great, modern guide. Thanks!
|
| While I have a few Yubikeys in a drawer somewhere, for years I've
| preferred to use an actual smartcard to store my keys. Sure, it
| only offers a subset of the features of a USB key, but I've found
| that I really only need to sign, auth and decrypt data. All the
| other fancy things like OTP, FIDO, etc., either have alternatives
| (e.g. pass-otp), or are just not used often enough. I haven't
| been in a situation yet where I _need_ to use a USB key.
|
| Besides, the experience of using Yubikeys always annoyed me. The
| touch functionality was way too sensitive, causing many unwanted
| triggers. Having it always stick out made me nervous it was going
| to break. And the small USB-C version was often difficult to
| remove, while also taking up a USB slot.
|
| Smartcards are nice since they're compact and stay neatly inside
| a laptop, and they use a separate interface for that purpose,
| instead of the generic USB. I wish more laptops had readers for
| them.
| beagle3 wrote:
| Which card are you using?
| Mindless2112 wrote:
| If you're looking for a FIDO smartcard, I've been using this
| [1].
|
| [1] https://shop.cryptnox.com/products/cryptnox-fido-2-card
| imiric wrote:
| On my laptop, this one[1]. While there's a model that
| supports NFC, I've found these don't work well with Password
| Store + OpenKeychain on Android. So I use a different
| unbranded one there. Don't remember where I bought it, but
| there's nothing special about it.
|
| [1]: https://www.floss-shop.de/en/security-
| privacy/smartcards/
| doublepg23 wrote:
| I actually just bought two Yubikeys. I figured the iCloud
| announcement was reason enough to pull the trigger on them.
|
| I was actually surprised at how little changes I needed to do, it
| "just worked" with the most sensitive accounts I had (1Password,
| Gmail, iCloud). Very cool devices.
| OJFord wrote:
| I was hoping to find how to change the number of GPG
| passphrase/PIN retries (the default of 3 is panic-inducing after
| just fat fingering it once) - I did it on one of mine some time
| ago, but haven't been able to figure it out again recently for
| another one. Sorry, it's a bit of a tangent, but if anyone
| happens to know?
| upofadown wrote:
| According to this:
|
| * https://github.com/drduh/YubiKey-Guide#configure-smartcard
|
| ... it is: gpg --card-edit
| OJFord wrote:
| Ah, thanks, it is described at the bottom of that section,
| but it's actually: ykman openpgp access
| set-retries 5 5 5 -f -a YOUR_ADMIN_PIN
|
| (5 5 5 being the number of retries for encrypt/sign/auth)
|
| Now, do I know my admin PIN...
| denysvitali wrote:
| By default it is 12345678 IIRC
| cookiengineer wrote:
| The attack surface of yubikey vs a laptop you carry around is
| interesting.
|
| Nobody seems to reflect that if you physically steal the laptop,
| guess what, the usb key that's still in there was also stolen.
|
| Anybody using USB locks? If you are focussing on FIDO for
| password management, I am assuming you are protected against HID
| emulating devices, like a rubberducky or teensy flashed with some
| malware installing HID emulator.
|
| And you do use USB locks on your laptop, right? Right? Because if
| not then all that added layer of secure feelings is pointless
| from an operational security perspective, other than preventing
| shoulder surfing. And if you are using a FIDO key, you usually
| have to enter a password to use it anyways, so it does not really
| protect against that either.
|
| You could've just used a password manager with a LUKS encrypted
| system and you have the identical attack surface from an
| operational perspective.
| wink wrote:
| That's only for the nano ones which I personally have never
| used.
|
| My large USB A Yubikey is in my pocket, with my keys. So unless
| someone is mugging me or also stealing my pants, nope.
| p410n3 wrote:
| That implies people leave it plugged in, which is not
| advisable. Also ignores the fact that these keys have certain
| phishing protections. 2fa will fail when you're on a cloned
| phishing page, so you can't enter your totp code in a fake
| site. I use mine ALONGSIDE a traditional encrypted pw manager
| nulbyte wrote:
| Some people do leave then in. The Nanos are designed for
| exactly this behavior.
| 9dev wrote:
| I have one Yubikey tucked away at home, and another at my
| mothers a few hunder kilometres away; these are ,,last resort"
| keys to my core accounts. For daily usage, I rely on iCloud
| Keychain with FaceID/TouchID and encrypted file systems on my
| devices. I'm pretty confident in this setup: You'd need to
| steal my laptop and my phone, get my fingerprint or face, or my
| password; yet you still can't lock me out entirely, and chances
| are if I'm robbed, I'm going to reset everything right away.
| TacticalCoder wrote:
| > The attack surface of yubikey vs a laptop you carry around is
| interesting.
|
| If you use the term "Yubikey" to describe the simplest model of
| Yubikey and not as a generic term to describe these security
| keys. Both Yubikey and their competitors are offering more
| advanced models: models which aren't simply unlocked by a tap
| on the device.
|
| Then the attack surface compared to a laptop you carry around
| certainly becomes _very_ interesting.
|
| The security key I use most (I've got several models) have
| their own tiny screen and are protected by a PIN and won't work
| anymore after three wrong PINs (and let's not shift the
| goalpost by discussing what happens if you forget your PIN,
| that's another subject).
|
| A friend of mine and his colleagues, sysadmins at a major ISP,
| all use "OnlyKey". They're protected by a PIN too (no screen
| but six digits on the security key). One PIN to register the
| security key, another PIN to auth.
|
| Then there are security keys, including Yubikeys, only unlocked
| by fingerprints: now we're talking about Ethan Hawke stealing
| your laptop, your security key _and_ recreating your
| fingerprints from a glass he stole at the bar (it 's not
| impossible, but we're very far from "we stole your laptop while
| the session was unlocked").
|
| > like a rubberducky or teensy flashed with some malware
| installing HID emulator.
|
| Wait, what would a teensy used for nefarious purposes do here?
| You can't sniff what's inside the Yubikey. It's kinda the whole
| point: it's a challenge/response only answered by knowing a
| secret protected by the HSM on the Yubikey. There's nothing to
| sniff. If you didn't intercept and modify the key while the
| person _registered_ on a service, you 'll never be able to auth
| without unlocking the actual key which was used to register to
| the service. You may be able to sniff and relay the auth but
| you'd still not be able to extract the secret out of the
| security key.
|
| > Because if not then all that added layer of secure feelings
| is pointless from an operational security perspective
|
| I don't know: all the big security hacks we saw recently would
| all been stopped cold dead in their tracks had U2F/webauthn
| been used (like the, supposedly, Plex related on where one dev
| had a years old, compromised, version of Plex which was used to
| exploit his home computer, which then allowed to get inside the
| company's network for all was needed to log in to the company's
| network was to sniff a password).
|
| Google reports there have been _zero_ break ins since years,
| since when they moved all their employees to mandatory U2F
| (then switched to webauthn and I take it now to passkeys?).
|
| I'm overall confused by your comment... What kind of attacks
| are you exactly talking about? Someone stealing your laptop
| then installing a teensy in your laptop and putting the laptop
| back in place, without you noticing? Or just someone stealing
| your laptop while the Yubikey is in it?
|
| Are you actually saying that because some Yubikey aren't
| protected by a PIN and because some people leave this model of
| Yubikey in their laptop at all times, all security keys don't
| offer any additional protection compared to a laptop being
| stolen?
| tzs wrote:
| > now we're talking about Ethan Hawke stealing your laptop,
| your security key and recreating your fingerprints from a
| glass he stole at the bar
|
| Why bother with the glass from the bar? Your fingerprints are
| likely to be all over the laptop.
| nulbyte wrote:
| > Nobody seems to reflect that if you physically steal the
| laptop, guess what, the usb key that's still in there was also
| stolen.
|
| I think that largely misses the point of having such a key. I
| have one, and I'm well aware that if my laptop is stolen, so is
| that key. But the point of it is not to protect the laptop from
| the outside; that's why my drive is encrypted.
|
| The point of that particular Yubikey is to secure passwords and
| authenticate to some websites, all of which requires either a
| PIN or more passwords, even after breaking the encryption of
| the drive itself.
|
| Then there's the fact that, if you steal my laptop, you're
| probably looking to sell it for cash. That is to say, threat
| models matter. If your a journalist in a hostile country, maybe
| other steps should be taken. But most of us here on a site
| called Hacker News aren't under such threats, romantic as they
| may be.
| krisoft wrote:
| > Nobody seems to reflect that if you physically steal the
| laptop, guess what, the usb key that's still in there was also
| stolen.
|
| Not in how I use it. I only connect my yubikey when I need it
| (rarely at that).
|
| > right? Right?
|
| Just generally don't do this. It comes of as unnecessarily
| aggressive. Instead you could say "Do use USB locks on your
| laptop, because ....". The "right? Right?" is not making your
| point more persuasive.
|
| > Because if not then all that added layer of secure feelings
| is pointless from an operational security perspectiv
|
| You are assuming all kind of things about the threat
| environment and the concerns the person has.
| InCityDreams wrote:
| > Just generally don't do this. It comes of as unnecessarily
| aggressive. Instead you could say "Do use USB locks on your
| laptop, because ....". The "right? Right?" is not making your
| point more persuasive.
|
| Pot, kettle situation?
| krisoft wrote:
| I don't see it that way, but happy to be corrected. Please
| tell me which part do you feel is unnecessarily aggressive?
| Just the general concept of asking someone to communicate
| differently, or a particular part of my message?
| pydry wrote:
| I had the same thought. HOTP or TOTP with a phone seem like a
| better bet for 2FA these days.
| f4n4tiX wrote:
| For OTP secrets, you could add my yubikey-otp tool, which is a
| CLI tool for searching and adding otp secrets stored on your
| YubiKey to your clipboard:
| https://github.com/MarkusZoppelt/yubikey-otp
| lofaszvanitt wrote:
| There was a very good security key dissection article way back on
| the net, just couldn't find it in my archives. They removed the
| ceramic coating, checked signals etc. and came to a quite
| sobering conclusion regarding security keys. If anyone has
| something similar, please provide a link.
| stavros wrote:
| Unless the conclusion was "someone can steal the private key
| from the key just being plugged in to USB", it can't have been
| very sobering. Literally all I want from a USB key is to make
| it so physical theft is required before someone can access my
| stuff.
| its-summertime wrote:
| The thing missing for me is, how to set 2 yubikeys to be
| functionally the same, to make having a backup key easier (for
| situations where no data is added to the key)
| sneakerblack wrote:
| It really depends on what you want to do with the yubikeys. If
| you're just using the PGP functionality (like SSH-ing and
| signing git commits) all you have to do is upload the same
| private (sub)keys to the two yubikeys and they'll be
| functionally the same*. I wouldn't know about other (more
| advanced) features though.
|
| If you follow DrDuh's guide, you should be able to set up the
| yubikeys in the way I described. I also created some
| provisioning scripts that automate the whole process which you
| should be able to use to provision the PGP applet:
|
| https://github.com/santiago-mooser/yubikey-provisioning-scri...
|
| Make sure to enable the export of the private key though!
| sedatk wrote:
| You have to register each key individually.
| fullstop wrote:
| This is trickier with TOTP, since you either have to have
| multiple keys on you or you have to save the TOTP seed / QR
| code until you have access to the other keys.
| jwr wrote:
| I've gotten good mileage over the last 5 years from drduh's guide
| to using Yubikeys with GPG and SSH. Works great, fully
| compatible.
|
| The new fangled ed25519 stuff simply didn't work for me.
| newaccount2021 wrote:
| don't be overwhelmed by these guides - you can also use yubikeys
| "out of the box"
|
| I use mine as a 2FA on services that support it, and I've never
| had to do anything but plug it in
|
| remember though, you will need pc smart card support...typically
| the pcscd daemon must be started and enabled
| stavros wrote:
| With the way things are going (U2F/WebAuthn), Yubikeys are being
| commoditized, and that's a good thing. I have 5-6 Yubikeys, but
| nowadays the one I use most is the Solo 2 I embedded in my
| laptop[0].
|
| Pretty much the only thing I use a Yubikey for nowadays is U2F,
| and I might as well use any cheaper key for that, since they're
| all equivalent (Solo 2 even has much more space for resident
| keys).
|
| I don't think there's much reason to get a Yubikey nowadays,
| especially if you don't need it for some specific use case (e.g.
| GPG). Just buy any cheap FIDO2-compatible key and you're good.
|
| [0]: https://www.stavros.io/posts/making-a-security-key-for-
| the-f...
| imiric wrote:
| > With the way things are going (U2F/WebAuthn), Yubikeys are
| being commoditized, and that's a good thing.
|
| I very much doubt this. Security keys are only used by a very
| niche community of security minded tech geeks. They're either
| unknown or very user unfriendly and a nuissance to the vast
| majority of tech users. Hell, I only use them because not using
| them is not an option, but I'm constantly annoyed with having
| to _think_ about them, rotate keys, manage passwords, etc.
|
| While WebAuthn and passkeys are becoming more prevalent and
| standardized, and that's certainly a good thing, the future of
| increased security for everyone will not involve security keys.
| Most users will authenticate using their phone or biometric
| data, which will create passkeys for each purpose, stored
| securely in the background on a TPM-like device, and synced
| using traditional methods.
|
| So security keys will remain a niche product, for those of us
| who don't trust these new authentication models, or have to
| keep managing passwords for likely many years to come.
| stavros wrote:
| I meant "it doesn't matter which key you get, they're all the
| same", not "everyone has one".
| imiric wrote:
| Ah, sorry for misunderstanding.
|
| BTW, that's a pretty cool project embedding a Solo 2 into
| the laptop. Shame you're now stuck with the Framework, but
| it's awesome that kind of project is even possible. I still
| prefer using a regular smartcard, since some (many?)
| laptops have built-in readers. And I miss PCMCIA slots,
| which were a perfect fit for smartcard readers, until they
| took it away from us. :(
| stavros wrote:
| Oh I'm not stuck, it's a removable port, I can just take
| the key out whenever. I think USB-C is more flexible than
| PCMCIA, especially with the Framework's module bays.
| imiric wrote:
| Well, you're functionally stuck with Framework, unless
| you want to go back to using the security key in the
| traditional way. I have the same issue with ThinkPads
| because of the TrackPoint, and can't go back to other
| laptops for work (some HP models had it at one point, but
| I haven't seen it in recent ones).
|
| And, sure, USB killed PCMCIA, but I still prefer the
| embedded form factor and standard size of PC cards. Now
| we have a million USB devices, all with different form
| factors, and even different behavior depending on the USB
| standard they support. At least we've sort of settled on
| a single connector now.
| aborsy wrote:
| Most security keys can't act as GPG smart cards, other than
| Yubikeys. So I only buy Yubikeys.
|
| An encryption, authentication and sign keg in a Yubikey is very
| useful.
|
| Does anyone know if a Wireguard secret key could be transferred
| to Yubikey?
| moreentropy wrote:
| While having a YK neo with all the features, I prefer the simple
| FIDO security key. Everything you could want apart from
| legacy/special use cases can be achieved with fido.
|
| websites -> fido/u2f ssh -> native fido support in ssh-keygen
| login -> fido2 for windows, libpam-u2f for linux luks encryption
| -> systemd-cryptenroll
___________________________________________________________________
(page generated 2023-03-10 23:00 UTC)