I rarely use my smartphone and find it a bit annoying to have to use it for 2FA through apps. I wish to get physical passkeys that will allow me to login to my laptop.

I have heard of YubiKey although I haven’t given it any serious consideration since it is closed source. (My super-tin-foiled friend who introduced me to this world of privacy taught me to never trust a closed-source solution… _long _ story).

Are there any FLOSS versions of Yubikey? Can they be used to log into a Linux machine? Or for banking?

    • @schnapspraline
      link
      135 months ago

      Yes they are - I own 3. Currently Nitrokey offers multiple different keys, but you most likely want to use the Nitrokey 3A.

  • Random Dent
    link
    fedilink
    English
    195 months ago

    There is SoloKey, which is an open-source version of YubiKey. Although full disclosure, I haven’t actually tried it myself so I can’t really vouch for it personally.

    • @ransomwarelettuce
      link
      35 months ago

      Yeah done anything with it over 1.5 ~ 2 years, on top of that NFC does not work at all in many cases.

      Yeah I regreted buying one . . . works great on PC though.

  • Soso
    link
    fedilink
    16
    edit-2
    5 months ago

    (Disclaimer: I work there)

    Check out @nitrokey. we make Open Source software and hardware security keys that have pretty similar functionality with Yubikeys.

    #Fido #PGP and in progress #PIV

  • @[email protected]
    link
    fedilink
    English
    145 months ago

    I have a onlykey. Been using it for probably 5 years now. Not sure why they aren’t more common.

    • @AnUnusualRelic
      link
      English
      35 months ago

      I use Onlykey as well. Can do lots of things. Works fine.

  • @[email protected]
    link
    fedilink
    115 months ago

    I believe solokeys are open source. I use a solo v1 for sudo, ssh, and two factor websites. They either went out of business or are basically defunct as I understand it, but you can pick them up on crowd supply. I wouldn’t get the v2, supposedly they had problems and that’s why they shut down. You likely won’t see updates, but they do function for what you’re looking for. There are some that are shaped like a small thumb drive and some that sit almost flush with a USB port. Some have nfc, which is useful for phones. Buy at least 2 though, and register both for everything, because you don’t want to lock yourself out of something.

    • Mike Wooskey
      link
      fedilink
      English
      75 months ago

      I use Solokeys. Didn’t know they were defunct. I just bought another from then a month or so ago. I use it for MFA, ssh, and sudo, and I’m trying to config Kubuntu login screen to require solokey but no luck yet.

      I like solokeys, but the one I recently bought has NFC and, technically, my pixel7 running GraphenreOS can detect the device, but it doesn’t work. Many people reported this issue. In my experience, NFC is non-functional.

      • @[email protected]
        link
        fedilink
        14 months ago

        I’m pretty sure you have to have google play services or MicroG for FIDO2 to work on android. A bit silly of you ask me.

        • Mike Wooskey
          link
          fedilink
          English
          14 months ago

          That sounds crazy, but easy to test. Thanks for the suggestion.

  • @[email protected]
    link
    fedilink
    105 months ago

    For my own understanding, what potential dangers are there using a Yubikey as opposed to an open source key?

    • @MaroonOP
      link
      65 months ago

      I’m a novice myself, so don’t expect an accurate and technical answer. My understanding is that the argument basically boils down to “claim versus veracity” on any vulnerabilities or compromises in the key.

      How do you know there aren’t significant security vulnerabilities in the key, or that there aren’t backdoors?

      The open source community have some excellent security experts who can check and let us know if all is good, or if something is off.

  • @skeld
    link
    65 months ago

    Might want to check out Mooltipass. I got mine from tindie and they’re worth a look IMO.

  • @[email protected]
    link
    fedilink
    English
    35 months ago

    Verifying the Security Claim of 2FA Devices

    The claim that using OTP tokens and Yubikeys compromises your security and privacy is completely false.

    Let’s look at this in more detail.

    Arguments against concerns:

    1. Limited information:
    • Device serial numbers and purchase details are stored by the retailer, but this does not provide access to your accounts. Serial numbers themselves cannot be used for hacking.
    1. Cryptographic protection:
    • Yubikey and OTP tokens use strong cryptographic methods such as HMAC-SHA1, RSA and ECC, which make OTP generation extremely secure and tamper-resistant.
    1. Physical access:
    • Authentication using these devices requires physical access to the device. This means that an attacker must physically possess your Yubikey or OTP token in order to be authenticated.
    1. No transfer of personal data:
    • These devices do not transmit or store personal user information on third-party servers. They generate one-time codes locally and send them only to the target service.
    1. Phishing protection:
    • Yubikey with FIDO U2F and FIDO2 support protects against phishing because the codes are domain specific and cannot be used on phishing sites.

    Additional arguments:

    1. Reducing dependency on passwords:
    • Using 2FA devices reduces the risk of accounts being compromised, even if the primary password is stolen.
    1. Integrated protection systems:
    • When combined with other security measures, such as two-factor authentication with SMS or mobile apps, OTP tokens and Yubikeys create multi-layered protection that makes it harder to hack.
    1. Convenience and speed:
    • These devices simplify the login process by providing instant and secure authentication without the need to remember complex passwords.

    Conclusion:

    While purchasing a 2FA device may leave traces in merchants’ databases, the risks are minimal compared to the security they provide. Yubikey and OTP tokens significantly increase the level of security for your accounts, especially when combined with other security methods. Therefore, the claim that using these devices compromises your security and privacy is untrue.

  • trevor
    link
    fedilink
    English
    25 months ago

    There are suitable alternatives listed in other comments, but it is worth noting that none of them will support the proprietary YubiKey authentication protocol.

    This isn’t a big deal if all of the applications you want to use it with support FIDO2/WebAuthn authentication, but YubiKeys support both.