This isn’t strictly a privacy question as a security one, so I’m asking this in the context of individuals, not organizations.

I currently use OTP 2FA everywhere I can, though some services I use support hardware security keys like the Yubikey. Getting a hardware key may be slightly more convenient since I wouldn’t need to type anything in but could just press a button, but there’s added risk with losing the key (I can easily backup OTP configs).

Do any of you use hardware security keys? If so, do you have a good argument in favor or against specific keys? (e.g. Yubikey, Nitrokey, etc)

  • @solrize
    link
    29 months ago

    I’m unfamiliar with how Yubikey works but I thought the FIDO2 protocol was designed to prevent that sort of association. Anyway it doesn’t sound good. Cryptographer’s saying (by Silvio Micali): “A good disguise should not reveal the person’s height”.

    • @[email protected]
      link
      fedilink
      English
      19 months ago

      Oh yeah it clearly seems a bad idea to me, which is why I’m assuming error on my part. 100% though I took an unrelated phone, installed the yubico app, slapped my nfc yubikey up to it, and could see my accounts listed.

      • @solrize
        link
        29 months ago

        Oh I misunderstood what you were describing but yeah, it doesn’t sound good. It sounds like the key is supposed to be an SSO credential for multiple phones? Maybe there’s a way to set it up differently. You might ask their support.

        • @[email protected]
          link
          fedilink
          English
          1
          edit-2
          9 months ago

          I probably described it poorly.

          It’s nothing that exotic. I use it as MFA for a few different accounts as I assume anyone who has one does. :)

          Using one easy example, I have [email protected] set up and I can clearly see “[email protected]” as a linked account on my yubikey on any device. I can’t do anything with it, but I see my username in the format shown above, and the one time code counting down.

          I don’t actually know why I haven’t gone to their support - hadn’t thought about it for awhile until reading this thread, so that’s a good suggestion and will do.

          • @[email protected]
            link
            fedilink
            29 months ago

            I think y’all are talking about different things. Some sites (like google) have direct yubikey support where you plug the key into the device and what you’re talking about isn’t an issue

            Other sites don’t have direct support, but allow you to use any authenticator app which is what you’re talking about with using the yubico authenticator app/key combination. Plugging it into a yubico authenticator app on any device will show the codes

            Unfortunately I don’t have an answer for a way to protect those other accounts. I guess the hope is that if you lose it, it can’t be tied to your accounts, just the websites themselves

          • @solrize
            link
            29 months ago

            Yeah it would be preferable IMHO if you had to enroll a newly installed app with username and password in addition to the key.