Which 2FA physical key do you prefer?
from sparkle_matrix_x0x@lemmy.ml to privacy@lemmy.ml on 20 Oct 21:55
https://lemmy.ml/post/37824122

I am thinking about buying a pair of physical 2FA keys to protect my password manager and sensitive accounts. Which brand and model do you suggest?

If a model with open source firmware doesn’t come with big drawbacks, I’d prefer it, because I may learn from the source code and even contribute to it.

NFC is not necessary, and the keys should be USB-A. A fingerprint reader is welcome if the price doesn’t increase too much.

Thank you all in advance.

#privacy

threaded - newest

monovergent@lemmy.ml on 20 Oct 22:01 next collapse

The firmware isn’t open source and I only chose it for the employee discount, but the blue Yubico security key has held up well over hundreds of uses and several years jingling around in my keychain.

Cat_Daddy@hexbear.net on 20 Oct 22:13 collapse

Was going to say Yubikey also. I don’t like that it’s not open, but I’ve had open firmware keys before and they broke after several months of use. Meanwhile, my Yubikey has been kicking it on my keychain for almost fifteen years without any signs of wear, other than the paint scraping off of it.

florencia@lemmy.blahaj.zone on 20 Oct 22:02 next collapse

Yubico keys. Never had an issue after years of dangling on my keychain. They get replaced with upgrades to the key before they can break.

Godort@lemmy.ca on 20 Oct 22:19 next collapse

Yubico is industry standard for a reason. The current 5 model will have all the features you need and they are basically indestructible.

solrize@lemmy.ml on 20 Oct 22:25 next collapse

Do you mean TOTP? FIDO? Or what? FOSS ones exist but they might not do exactly the right thing. I’ve had some ideas for self-built too. What would you do on the host interface side? Wouldn’t you want the host to not have the secret?

It’s an interesting question.

sparkle_matrix_x0x@lemmy.ml on 21 Oct 07:14 collapse

I would use it for FIDO2 authentication

turtl@lemmy.ml on 20 Oct 23:21 next collapse

Why do folks seem to prefer Yubikey over alternatives like Nitrokey or Token2?

Cat_Daddy@hexbear.net on 21 Oct 00:11 next collapse

Longevity (mine is about 15 years old)

sparkle_matrix_x0x@lemmy.ml on 21 Oct 07:12 next collapse

That the same thing I asked myself…

utopiah@lemmy.ml on 21 Oct 10:51 collapse

So far nobody provided a good answer (if I missed it, I apologized, please do share) so I’m going to assume it’s the typical “Nobody ever get fired for buying from IBM” mindset, namely rely on what is the most popular, confirm it works well while ignoring viable alternatives IMHO, e.g NitroKey.

Godort@lemmy.ca on 21 Oct 17:18 collapse

I’m going to assume it’s the typical “Nobody ever get fired for buying from IBM” mindset

That’s pretty much it exactly. Yubico has the required features, are widely supported, and are widely used. They have a track record of reliability.

Other viable alternatives definitely exist, but they don’t have the same real-world penetration. The disadvantage with that is if you run into a platform-specific issue, finding someone who has had the same issue before and posted the solution somewhere becomes far less likely.

utopiah@lemmy.ml on 21 Oct 17:43 collapse

if you run into a platform-specific issue

Well that’s of course possible but in theory (which is so different from practice, I get that) if it relies on protocols or specifications rather than vendor specific implementations, e.g. OTP, TOPT, HOTP, U2F, OpenPGP, WebAuthN, etc then it should be fine.

stupid_asshole69@hexbear.net on 20 Oct 23:39 next collapse

Your only “good” option is yubikey. They’ve been around comparatively forever, have all the problems worked out and make durable hardware. All that matters because you don’t want to get something from a company that goes under in a few years and leaves you high and dry and you don’t want the dongle to break because that’s your authentication, now you’re locked out of your shit.

I recommend against getting some doodad with a biometric reader. You’re adding complexity, attack vectors and not getting much out of it plus you’re locking yourself out of deniability and the possibility of handing a trusted person your dongle, telling them your password and having them act in your stead.

sparkle_matrix_x0x@lemmy.ml on 21 Oct 07:12 collapse

You’re right about the FP reader, I didn’t think about that before

adespoton@lemmy.ca on 21 Oct 04:58 next collapse

The one I have on me. Which happens to be my Yubikey currently.

Ghoelian@piefed.social on 21 Oct 06:54 next collapse

I have a nitrokey which works great. Only downside is the software isn’t as user friendly, you need to set it up using the cli.

sparkle_matrix_x0x@lemmy.ml on 21 Oct 07:09 collapse

I am fine with a cli, I use arch btw.

How long have you had your nitrokey? Others are concerned about their durability…

Have you ever had a yubikey?

Ghoelian@piefed.social on 21 Oct 08:08 next collapse

I’ve only had the nitrokey for a few months, so can’t comment on the durability yet.

I did have a yubikey before. My experience with them wasn’t great, I often had to re-plug in the key because the touch to activate thing was pretty unreliable for me, often just not responding to touch at all.

Though ultimately the reason I chose nitrokey is because I was just looking for a European alternative.

utopiah@lemmy.ml on 22 Oct 08:28 collapse

Others are concerned about their durability…

Unless I see reports about keys premature end of life I’d put that under FUD.

Anyway as you did ask few times about this I believe it’s important, and you might be aware of this so apologies if sound condescending, to see keys as something NOT precious. Of course keys are important and they are not cheap… but also you might, in fact :

  • you probably will loose keys
  • you might get them stolen (typically by mistake, somebody taking your entire backpack)
  • you maybe could break them sitting on them (really tricky but OK, why not)
  • you might have some die of “old age” (I’ve never seen that but physical tear does happen, depends on your usage)

… so what’s IMHO crucial is to have a backup. If you lose your 1 key and you are locked out of your stuff, this is terrible. If you lose your key but you have a backup in a well known to you and secure location, then you login, revoke the other one, move one. Maybe you lost 50 bucks but that’s much better than either being compromise or hours and hours lost in trying and failing to find back the 1 key.

TL;DR: keys are important but not precious. If they are precious you are doing something wrong.

Edit: also not for now but keys will inexorably deprecate. You might want post-quantum schemes and even though it is arguably not pressing at the moment maybe the hardware you currently have will not support this. So again, keys are important but should be disposable and replaceable.

utopiah@lemmy.ml on 21 Oct 07:12 next collapse

I use Yubikey Bio and NitroKeys.

Edit : to expand a bit, for the YubiKey it’s for the convenience of just pushing my thumb on. I use it on the Web and to su locally. For NitroKeys I’ve discovered them via nlnet.nl/project/Nitrokey-3/ and thus appreciate the OSHW side, e.g certification.oshwa.org/de000007.html or certification.oshwa.org/de000008.html

fubarx@lemmy.world on 21 Oct 07:26 next collapse

onlykey.io

6 FIDO keys in one.

sparkle_matrix_x0x@lemmy.ml on 21 Oct 16:12 collapse

That’s cool, strange I didn’t stumble over it when I was searching for these keys. Have you got one? Is it durable?

fubarx@lemmy.world on 21 Oct 16:22 collapse

I got one years ago. Used it for quite a bit. Worked great, but I stopped using it when my daily computer didn’t have a USB-A port any more.

You do have to remember what each numbered button is for.

DieserTypMatthias@lemmy.ml on 21 Oct 10:26 next collapse

I use Yubikey 5C NFC. You can get it for ~29€ last time I checked.

eldavi@lemmy.ml on 21 Oct 20:22 collapse

i stopped using mine because i kept accidentally trigger it every single time i intended to type something.

i was a software engineer at the time, so it was particularly annoying to me.

AmericanEconomicThinkTank@lemmy.world on 23 Oct 02:59 collapse

Yubi