This isn’t strictly a privacy question as a security one, so I’m asking this in the context of individuals, not organizations.

I currently use OTP 2FA everywhere I can, though some services I use support hardware security keys like the Yubikey. Getting a hardware key may be slightly more convenient since I wouldn’t need to type anything in but could just press a button, but there’s added risk with losing the key (I can easily backup OTP configs).

Do any of you use hardware security keys? If so, do you have a good argument in favor or against specific keys? (e.g. Yubikey, Nitrokey, etc)

  • JustEnoughDucks
    link
    fedilink
    1
    edit-2
    9 months ago

    I am very confused what you mean that a phone doesn’t count as a 2nd factor.

    Your password is factor one.

    An OTP is factor 2, whether it is on a phone or a yubikey makes literally 0 difference practically. It is a “something you have”.

    If you need biometric unlock to get into your 2fa app or on the yubikey itself, that is a 3rd factor of “something you are.”

    If you are very worried about someone compromising your phone app and already knowing your password, (which is not how 99% of intrusions are done) then put a pin or fingerprint on your 2FA app and it is back to being a secure 2nd factor.

    The probability of someone breaking into your phone, hacking your bitwarden password, and having a fingerprint exploit that allows them to break into your 2FA app is like 1 in 1 billion unless you are like top 1000 most important people in the world. But as a thought exercise, a dongle indeed has the potential to be more secure because it is an additional “something you have” to your phone.

    • @solrize
      link
      19 months ago

      The idea is that your passwords are stored on the phone. You want a separate long random password for each account, so it’s unfeasible to remember them. It’s also a big pain to type every one such password on a screen keyboard. Thus, the password and the phone are the same factor.

      I have avoided having important passwords on my phone because of this, but some people use their phones more heavily than I do. My more important accounts are only accessed via my laptop, using a TOTP phone app as 2nd factor. I rarely take the laptop out of the house.

      • JustEnoughDucks
        link
        fedilink
        2
        edit-2
        9 months ago

        But this is only the case if you store your passwords in a plaintext file on your phone. Something that I hope nobody would be dumb enough to do, but I guess many people would.

        If you have an encrypted password manager like Bitwarden or so where you have a single long password to open and get at your other long secure passwords, then it is essentially a different factor than your phone, right? Since having the phone unlocked would do nothing to help the attacker get to your password vault.

        • @solrize
          link
          19 months ago

          Well I find it a big pain to type a long complex password on a phone. Ymmv though.