It depends on your threat model. If you're worried about sophisticated attackers physically breaking in to your place to steal a Yubikey to steal your accounts, you should also worry about them physically tampering with your computer to install malware, and thus need monitoring for that as well.
If you can't do the monitoring, and you face very advanced attackers like this, it's probably best to only use a laptop that you physically keep with you at all times, and then you can keep your Yubikey with you at all times too.
If you just want to protect against an attacker sophisticated enough to steal a Yubikey but not enough to install malware, then maybe instead of a second Yubikey in the safe deposit box, you could have an encrypted recovery code in the safe deposit box, and either memorize the password, or store the password on your computer.
I've never heard of attackers stealing a Yubikey though. More likely is the attacker will social engineer the website's support into giving over your account.
I’ve heard safe deposit boxes as an answer to the question “what if my house burns down with my yubikey/recovery code sheet in it, and none of my friends or family are as security-conscious as me so I can’t leave the spare with them”
Why would you want to store yubikeys securely, as opposed to recovery codes which you can print out in multiple copies? Store it in multiple semi-secure places. Unless you're running infra for an international corp, government, bank, or are likely to be physically targeted for some reason, you can likely store it in a folder on a shelf.
(And if you actually need to worry about things like that, then you've got (or should have) people who think of things like that for you)
You can check to see the key is still there but you can't check to see if anyone has copied the codes. The key is meant to be not possible to duplicate.
From the article is sounds like most of those cases are banks drilling open the boxes and putting the contents into storage. A better and stricter inventory system with strict and punitive regulation is what is needed, not some technical gadget.
Furthermore, electronics fail. If there’s some records including 2FA codes that you want to store in a safety deposit box, fire box, etc. I absolutely want at least paper backups whether or not I also have a Yubikey, SD card, etc. eg if I have a home inventory I absolutely want prints even if it’s also in the cloud someplace.
I think the parent post was asking where someone would securely store a hardware device like a yubikey that, for example, contains the only copy of a root key—as opposed to using such a hardware device as part of a security system.
It is also sometimes in your interest to get things in the custody of an individual, ideally your attorney. If the owner of a deposit box becomes aware of your death, they will seal it until a court order is obtained.
At least in California, the bank opened it for me (as personal representative) so that a bank employee and I could inventory the contents.
My aunt was a hoarder. At that point, I was actually relieved that the box was empty and I wouldn't have to go through the process of claiming the contents.
My aunt was also somebody who bought gold and silver, something that was promoted heavily to people in conservative Orange County California when Obama became president and end times were near. Chase made it very clear that I was basically storing things at my own risk. I could deposit US coins from the 1880s at face value of $20 and get FDIC insurance. Instead, since they were about $1200 each at the time, I put them in the safe deposit box.
Before that, in Oregon, my dad died but I was on the list of people allowed to use the box so I had access. That might be an option if there's somebody you really trust.
The banks do charge about $100 to drill the lock if you lose the keys. It's possible that you could have somebody authorized to use the box but not give them a key.
Thorrez|6 years ago
If you can't do the monitoring, and you face very advanced attackers like this, it's probably best to only use a laptop that you physically keep with you at all times, and then you can keep your Yubikey with you at all times too.
If you just want to protect against an attacker sophisticated enough to steal a Yubikey but not enough to install malware, then maybe instead of a second Yubikey in the safe deposit box, you could have an encrypted recovery code in the safe deposit box, and either memorize the password, or store the password on your computer.
I've never heard of attackers stealing a Yubikey though. More likely is the attacker will social engineer the website's support into giving over your account.
michaelt|6 years ago
viraptor|6 years ago
(And if you actually need to worry about things like that, then you've got (or should have) people who think of things like that for you)
jdnenej|6 years ago
TomK32|6 years ago
ghaff|6 years ago
Latty|6 years ago
Spooky23|6 years ago
It is also sometimes in your interest to get things in the custody of an individual, ideally your attorney. If the owner of a deposit box becomes aware of your death, they will seal it until a court order is obtained.
jdeibele|6 years ago
My aunt was a hoarder. At that point, I was actually relieved that the box was empty and I wouldn't have to go through the process of claiming the contents.
My aunt was also somebody who bought gold and silver, something that was promoted heavily to people in conservative Orange County California when Obama became president and end times were near. Chase made it very clear that I was basically storing things at my own risk. I could deposit US coins from the 1880s at face value of $20 and get FDIC insurance. Instead, since they were about $1200 each at the time, I put them in the safe deposit box.
Before that, in Oregon, my dad died but I was on the list of people allowed to use the box so I had access. That might be an option if there's somebody you really trust.
The banks do charge about $100 to drill the lock if you lose the keys. It's possible that you could have somebody authorized to use the box but not give them a key.