> I don’t see any use case or security benefits by using the static password feature. Even if you enter a password manually and concatenate it with the password of the Yubikey, a keylogger still gets both parts (assumption: You don’t reuse passwords).
If keylogger is what you're defending from, yes, it doesn't help. And in this scenario you've probably already lost.
On the other hand, it makes a large portion of the password immune to video-recording you typing the password in. Yes, it's technically trivial to then steal your Yubikey, extract the static password and combine it with the recorded one, but these are still quite some extra steps.
My point is, if a particular service or application doesn't support anything more refined, using a static password as a pepper[0] is perfectly fine and still an improvement over not doing so.
The static password feature would actually be perfect with a few small alterations.
I use Apple's Advanced Data Protection product. This product gives you a 64-character code you must know. I am probably not capable of committing this code to memory.
I wish I could tell my Yubikey this code, and it would save it.
---
Now, as a US citizen, it is very hard for the government to compel me to disclose a password or a pin code. If the static password feature required a simple password (say 6 characters), with reasonable brute force prevention, it'd make it so that I have a way to protect myself. On the other hand, if it is not pin protected, there is nothing preventing the government from getting a search warrant for the Yubikey itself and using that.
Reminder: Yubico doesn't have a monopoly on security keys. Make sure your software/tutorials support the open-source alternatives like OnlyKey and NitroKey.
While I have a few Yubikeys in a drawer somewhere, for years I've preferred to use an actual smartcard to store my keys. Sure, it only offers a subset of the features of a USB key, but I've found that I really only need to sign, auth and decrypt data. All the other fancy things like OTP, FIDO, etc., either have alternatives (e.g. pass-otp), or are just not used often enough. I haven't been in a situation yet where I _need_ to use a USB key.
Besides, the experience of using Yubikeys always annoyed me. The touch functionality was way too sensitive, causing many unwanted triggers. Having it always stick out made me nervous it was going to break. And the small USB-C version was often difficult to remove, while also taking up a USB slot.
Smartcards are nice since they're compact and stay neatly inside a laptop, and they use a separate interface for that purpose, instead of the generic USB. I wish more laptops had readers for them.
I like the idea of securitykeys, but having to drop 100€ for a key (since in my opinion you are playing with fire if you don't buy a backup) feels like excessive and then having to worry that I remember to take my securitykey with me everywhere...
Yeah, yeah, security vs. convenience is always the issue, but so far I've just selected convenience.
> Yeah, yeah, security vs. convenience is always the issue, but so far I've just selected convenience.
In terms of the SSH and GPG keys which I use multiple times every single day for me this is convenience. I have my keys always on my person and they are tied to me, and not a particular machine. Whether it's my laptop, my desktop or my phone, I have a single pair of keys that are virtually impossible to steal even on a so-so trusted device like a proprietary phone.
When you start considering a security key as a portable credential storage to use across all your machines, it becomes actually more convenient, not less.
The cost is not really that enormous when you consider these things are pretty bulletproof, I've had one for about 10 years on my keychain. That's €5 per year. I am currently waiting for NitroKey 3 to have non-alpha OpenPGP SC support and will likely buy one as soon as it's available (although maybe I should buy one now to support development and maybe have a play around myself).
You don't need a backup unless you don't trust your hardware at home, just store backup keys on some trusted host, or offline on some storage media, you then only need to buy a new security key whenever you lose yours. Even so, if you DO decide to go the backup route, the backup is not likely to get list and very likely to last much longer than 10 years.
With security keys which have NFC capabilities, you can set things up so that accessing any website from your phone is only a tap away (you need to enter the pin before hand, or every time, obviously choice of convenience here is up to you but if your phone itself is secure enough then maybe this isn't such an issue to keep the pin cached while the phone is on).
I always wonder how often someone gets into a crisis because their Yubikey breaks while they're at, say, a conference (ie. far away from the backup, be it another key, or access to recover codes). I recon they can just break when plugged into a laptop that takes a dive.
I’ve carried a USB-A Yubikey in my pocket for 7 years and it’s never broke. I also keep one time login passwords encrypted and available in the cloud in the event I lose the key.
I solve the issue of forgetting my key by having a key constantly attached to my keychain with a keychain clip except when its in use with my notebook. This means that I have three keys - one on my keychain, one on my main computer, and one for backup.
Also I have my passwords synced to my phone, which could serve as a mobile backup in a pinch. I currently have it configured to require the key, but I should probably change that now that I think about the possibility of losing the key.
Using the key is more convenient to me than not using it, because it saves me from having to remember and enter a long master password.
I found that four were the right number of keys, not two. One for the permanent safe, one for the keyring, one for offsite storage at another location (like office) and one to leave in the computer.
Same, I only use the key when something forces me to, cause I trust TOTP authentication apps even less. (I don't mean trusting that nobody hacks it, I mean trusting that I don't get locked out.)
For full disk encryption, if you use systemd and not another init system, i'd also recommend systemd-cryptsetup, it's already installed on your machine if you have a relatively new systemd (at least 248). With systemd-cryptsetup you can use fido2, and your normal fido2 pin, to unlock your LUKS drive.
This also works with the YubiKeys "Security Key" series, that only have fido2 and no otp/chalresp.
I actually considered that setup but decided against it. The thing is, if I did this, I would eventually succumb to convenience and would plug the key into the machine at all times. But that defeats the purpose: if a thief steals my computer they can just tap the key rather than know my password to unlock my disk.
Your paranoia is getting out of hand, seriously.
2FA here, OTP there.
Idk about you, maybe you do have such sensitive data that you have to double guard everything, I and the usual average guy doesn't.
Why do I care? Because this craze has already reached the real world. Amazon requiring 2FA on deliveries. Wtf is wrong with my passport or other document? Nothing. Now I have to be physically present and recite some fucking code they sent my via fucking email or app if installed.
I can't log in anywhere anymore without having to double prove that the password and email is indeed mine.
STOP THIS MADNESS ALREADY!
My World of Warcraft account had been secured by 2FA 10y earlier than my bank account.
The good thing is, the launcher app on _my_ PC got the feature (a few years ago) that I only need to use the actual 2FA fob once every few months, not every time I login. It protects me against the most common case (someone logging in with my account/stealing my account) while not getting in the way at all. Unless someone breaks into the apartment, but I'll take that risk.
Still wondering what's wrong with most orgs not even offering the user the choice of "no 2fa/2fa everytime/whitelist this one device for $period".
That's probably not about information security, it's simply Amazon not trusting the gig economy delivery worker enough with an expensive package, so they give you a number only you know and he doesn't, and that's how they verify that he has to interact with you before marking the delivery as done. It's to prevent a common kind of theft.
(I'm not talking out of any inside knowledge on the process, just thought that'd be the reason)
My work recently changed the password length requirement to 16 characters, 2FA now requires typing in a number and you automatically get deauthenticated every 12 hours.
I really feel there's got to be diminishing returns for such policies
I really would like to use it, but without ability to backup it, I don't wanna. I've read some time ago Yubikey of some other company showed initial spec, but I never heard any followup, I don't remember the link. For now I'm using TOTP but it's a chore. Salesforce Authenticator has nice idea with custom push-based protocol, but it's not running on dedicated hardware. I think ESP32 S3 has hardware potential to act as security has as it has e-fuses and has enough umph for cryptography, it would be interesting option to see (maybe with optional wifi/bluetooth faraday cage on it)
The backup plan is mostly having a backup key. The whole point is that there's a secret inside the key that can't be stolen, and that means there's no way of exporting it either. Most services I deal with allow registering multiple keys. Some like Paypal don't, but allow having both a key and TOTP so you can use TOTP as a fallback.
It mostly acts as a keyboard (bluetooth or USB). It supports TOTP, and will type it out for you. It has an internal battery and for TOTP the clock is set by the management application for it.
I'm with you re: backups. The whole "just have a backup key" methodology seems tediously manual and fraught with opportunities for error/laziness.
I've been looking into OnlyKey[0] recently. It seems to have sensible backup functionality at least.
Using something The Mooltipass[1] (USB HID password vault w/ TOTP support that has a sensible backup strategy) comes closest to what I want, but not quite close enough. (I'm disenchanted with it because it seems to lean heavily on an app on the host computer for functionality.)
> I really would like to use it, but without ability to backup it
I totally know the feeling. I was there, I don't believe for a second that enrolling another key is an acceptable option and I solved that problem in a way that works for me.
You can clone your own security key if you're willing to deal with the problem that now becomes: "How do I safely store the secret allowing to restore another security key?".
I'm using paper seeds, split over several countries. A $5 wrench attack on my mom to have her open her safe won't be sufficient. The attacker would need to $5 wrench another half too, which my mom doesn't have.
Ledger Nano S (supposedly a cryptocurrency hardware wallet but I only care about the U2F support) has a U2F "nano app" installable on the key which shall do U2F (and webauthn, which is backward compatible from the device's point of view... It's not clear to me if it's going to work as a "passkey" too or not). They cost $79 or something.
Ledger kinda knows what they're doing: their CTO was part of the original FIDO spec group.
Buy two of them, initialize them with the same seed. Make sure to secure your paper seed.
In my case the issue of "cloning and backuping a U2F/webauthn key" is solved. But it's a trade off: now I have to deal with storing the paper seed allowing to restore the U2F key.
In exchange for that hassle I get U2F everywhere (SSH being a big, big, big one) and my security keys are protected by a PIN (three wrong PINs and they reset to factory default). And I don't leave with the constant fear of losing my security key and being locked out of all my services / having to reset everything.
As an added bonus that Ledger Nano S has a tiny device telling you if you're registering or authenticating and it's telling you where you're registering/authenticating. It becomes very hard to trick you into registering/authenticating to a bad party.
Also for me to be really in trouble I'd need to both lose the ability to restore/clone another key and I'd need to lose access to the two security keys that are configured with the same seed.
> ESP32 S3 has hardware potential to act as security
You'll probably want a tamper-proof MCU instead (i.e. the type used on payment smart cards and SIMs), if physical access is a concern to you at all.
> without ability to backup it
Your backup can be another security key. If you are concerned about design flaws (of the reliability/durability kind, not security), you can get FIDO-certified keys from many vendors other than Yubico these days.
I was hoping to find how to change the number of GPG passphrase/PIN retries (the default of 3 is panic-inducing after just fat fingering it once) - I did it on one of mine some time ago, but haven't been able to figure it out again recently for another one. Sorry, it's a bit of a tangent, but if anyone happens to know?
Missing from all this: a dedicated machine running Linux to set everything up. I have an old beat up Thinkpad that I use exclusively for critical stuff that would really hurt me if somebody hacked.
You can have one for less than the price of Yubikey so there really isn't much excuse.
For OTP secrets, you could add my yubikey-otp tool, which is a CLI tool for searching and adding otp secrets stored on your YubiKey to your clipboard: https://github.com/MarkusZoppelt/yubikey-otp
The thing missing for me is, how to set 2 yubikeys to be functionally the same, to make having a backup key easier (for situations where no data is added to the key)
It really depends on what you want to do with the yubikeys. If you're just using the PGP functionality (like SSH-ing and signing git commits) all you have to do is upload the same private (sub)keys to the two yubikeys and they'll be functionally the same*. I wouldn't know about other (more advanced) features though.
If you follow DrDuh's guide, you should be able to set up the yubikeys in the way I described. I also created some provisioning scripts that automate the whole process which you should be able to use to provision the PGP applet:
Other than Google Titan and Yubikey, are those really the only two players? I find it concerning that there is this whole ecosystem built around security keys, but only two companies making them. That said I currently use yubikeys for all my stuff, it just occurred to me its odd there isn't a bunch of companies making these :/
With the way things are going (U2F/WebAuthn), Yubikeys are being commoditized, and that's a good thing. I have 5-6 Yubikeys, but nowadays the one I use most is the Solo 2 I embedded in my laptop[0].
Pretty much the only thing I use a Yubikey for nowadays is U2F, and I might as well use any cheaper key for that, since they're all equivalent (Solo 2 even has much more space for resident keys).
I don't think there's much reason to get a Yubikey nowadays, especially if you don't need it for some specific use case (e.g. GPG). Just buy any cheap FIDO2-compatible key and you're good.
> With the way things are going (U2F/WebAuthn), Yubikeys are being commoditized, and that's a good thing.
I very much doubt this. Security keys are only used by a very niche community of security minded tech geeks. They're either unknown or very user unfriendly and a nuissance to the vast majority of tech users. Hell, I only use them because not using them is not an option, but I'm constantly annoyed with having to _think_ about them, rotate keys, manage passwords, etc.
While WebAuthn and passkeys are becoming more prevalent and standardized, and that's certainly a good thing, the future of increased security for everyone will not involve security keys. Most users will authenticate using their phone or biometric data, which will create passkeys for each purpose, stored securely in the background on a TPM-like device, and synced using traditional methods.
So security keys will remain a niche product, for those of us who don't trust these new authentication models, or have to keep managing passwords for likely many years to come.
I wish it was possible to add FIDO keys to an account without having physical access to the key. Without this, it is hard to balance the convenience of adding your keys to new accounts and the risk of losing all your keys. Ideally, I’d want to keep one key in a safe location far away and just have some public key data that I can upload to new accounts. Does anyone know why FIDO doesn’t work this way? Is it simply to make it harder to lock yourself out of an account?
> You can add 32 of these secrets to a Yubikey device.
I have 45 of those currently in my Authy account, which syncs on two phones for redundancy...
I'd love to use a Yubikey for this, but I'd have to split those accounts across multiple yubikeys, which would be quite a headache to maintain, especially if one wants redundancy...
I actually just bought two Yubikeys. I figured the iCloud announcement was reason enough to pull the trigger on them.
I was actually surprised at how little changes I needed to do, it “just worked” with the most sensitive accounts I had (1Password, Gmail, iCloud). Very cool devices.
On Android, to unlock Keepass database secured with Yubikey, an alternative to Keepass2Android+ykdroid is KeePassDX[1] + Key Driver [2]. Both USB and NFC are supported.
[+] [-] vifon|3 years ago|reply
If keylogger is what you're defending from, yes, it doesn't help. And in this scenario you've probably already lost.
On the other hand, it makes a large portion of the password immune to video-recording you typing the password in. Yes, it's technically trivial to then steal your Yubikey, extract the static password and combine it with the recorded one, but these are still quite some extra steps.
My point is, if a particular service or application doesn't support anything more refined, using a static password as a pepper[0] is perfectly fine and still an improvement over not doing so.
[0] https://en.wikipedia.org/wiki/Pepper_(cryptography)
[+] [-] sargun|3 years ago|reply
I use Apple's Advanced Data Protection product. This product gives you a 64-character code you must know. I am probably not capable of committing this code to memory.
I wish I could tell my Yubikey this code, and it would save it.
---
Now, as a US citizen, it is very hard for the government to compel me to disclose a password or a pin code. If the static password feature required a simple password (say 6 characters), with reasonable brute force prevention, it'd make it so that I have a way to protect myself. On the other hand, if it is not pin protected, there is nothing preventing the government from getting a search warrant for the Yubikey itself and using that.
[+] [-] atoav|3 years ago|reply
¹: https://xkcd.com/538/
[+] [-] toastal|3 years ago|reply
[+] [-] imiric|3 years ago|reply
While I have a few Yubikeys in a drawer somewhere, for years I've preferred to use an actual smartcard to store my keys. Sure, it only offers a subset of the features of a USB key, but I've found that I really only need to sign, auth and decrypt data. All the other fancy things like OTP, FIDO, etc., either have alternatives (e.g. pass-otp), or are just not used often enough. I haven't been in a situation yet where I _need_ to use a USB key.
Besides, the experience of using Yubikeys always annoyed me. The touch functionality was way too sensitive, causing many unwanted triggers. Having it always stick out made me nervous it was going to break. And the small USB-C version was often difficult to remove, while also taking up a USB slot.
Smartcards are nice since they're compact and stay neatly inside a laptop, and they use a separate interface for that purpose, instead of the generic USB. I wish more laptops had readers for them.
[+] [-] beagle3|3 years ago|reply
[+] [-] nextlevelwizard|3 years ago|reply
Yeah, yeah, security vs. convenience is always the issue, but so far I've just selected convenience.
[+] [-] vifon|3 years ago|reply
In terms of the SSH and GPG keys which I use multiple times every single day for me this is convenience. I have my keys always on my person and they are tied to me, and not a particular machine. Whether it's my laptop, my desktop or my phone, I have a single pair of keys that are virtually impossible to steal even on a so-so trusted device like a proprietary phone.
When you start considering a security key as a portable credential storage to use across all your machines, it becomes actually more convenient, not less.
[+] [-] Arch-TK|3 years ago|reply
You don't need a backup unless you don't trust your hardware at home, just store backup keys on some trusted host, or offline on some storage media, you then only need to buy a new security key whenever you lose yours. Even so, if you DO decide to go the backup route, the backup is not likely to get list and very likely to last much longer than 10 years.
With security keys which have NFC capabilities, you can set things up so that accessing any website from your phone is only a tap away (you need to enter the pin before hand, or every time, obviously choice of convenience here is up to you but if your phone itself is secure enough then maybe this isn't such an issue to keep the pin cached while the phone is on).
[+] [-] joshvm|3 years ago|reply
The only irritating bit is when you don't have USB-A (there is no A+C stick). But with NFC at least you can use your phone.
I've yet to find a place (in my life anyway) where FIDO isn't accepted. Secures the main things like Google, Namecheap, etc.
[+] [-] sverhagen|3 years ago|reply
>convenience
I always wonder how often someone gets into a crisis because their Yubikey breaks while they're at, say, a conference (ie. far away from the backup, be it another key, or access to recover codes). I recon they can just break when plugged into a laptop that takes a dive.
[+] [-] ixwt|3 years ago|reply
[+] [-] agotterer|3 years ago|reply
[+] [-] Hesinde|3 years ago|reply
Also I have my passwords synced to my phone, which could serve as a mobile backup in a pinch. I currently have it configured to require the key, but I should probably change that now that I think about the possibility of losing the key.
Using the key is more convenient to me than not using it, because it saves me from having to remember and enter a long master password.
[+] [-] ptman|3 years ago|reply
[+] [-] stavros|3 years ago|reply
[+] [-] SomeHacker44|3 years ago|reply
[+] [-] hot_gril|3 years ago|reply
[+] [-] hummus_bae|3 years ago|reply
[deleted]
[+] [-] jonas-w|3 years ago|reply
This also works with the YubiKeys "Security Key" series, that only have fido2 and no otp/chalresp.
[+] [-] kccqzy|3 years ago|reply
[+] [-] lakomen|3 years ago|reply
Why do I care? Because this craze has already reached the real world. Amazon requiring 2FA on deliveries. Wtf is wrong with my passport or other document? Nothing. Now I have to be physically present and recite some fucking code they sent my via fucking email or app if installed.
I can't log in anywhere anymore without having to double prove that the password and email is indeed mine. STOP THIS MADNESS ALREADY!
[+] [-] wink|3 years ago|reply
The good thing is, the launcher app on _my_ PC got the feature (a few years ago) that I only need to use the actual 2FA fob once every few months, not every time I login. It protects me against the most common case (someone logging in with my account/stealing my account) while not getting in the way at all. Unless someone breaks into the apartment, but I'll take that risk.
Still wondering what's wrong with most orgs not even offering the user the choice of "no 2fa/2fa everytime/whitelist this one device for $period".
[+] [-] aranelsurion|3 years ago|reply
That's probably not about information security, it's simply Amazon not trusting the gig economy delivery worker enough with an expensive package, so they give you a number only you know and he doesn't, and that's how they verify that he has to interact with you before marking the delivery as done. It's to prevent a common kind of theft.
(I'm not talking out of any inside knowledge on the process, just thought that'd be the reason)
[+] [-] ioseph|3 years ago|reply
I really feel there's got to be diminishing returns for such policies
[+] [-] manmal|3 years ago|reply
[+] [-] sheerun|3 years ago|reply
[+] [-] dale_glass|3 years ago|reply
For convenient TOTP, you can try this one: https://www.themooltipass.com/
It mostly acts as a keyboard (bluetooth or USB). It supports TOTP, and will type it out for you. It has an internal battery and for TOTP the clock is set by the management application for it.
[+] [-] Mindless2112|3 years ago|reply
[1] https://github.com/Yubico/webauthn-recovery-extension
[+] [-] EvanAnderson|3 years ago|reply
I've been looking into OnlyKey[0] recently. It seems to have sensible backup functionality at least.
Using something The Mooltipass[1] (USB HID password vault w/ TOTP support that has a sensible backup strategy) comes closest to what I want, but not quite close enough. (I'm disenchanted with it because it seems to lean heavily on an app on the host computer for functionality.)
[0] https://onlykey.io/
[1] https://www.themooltipass.com/
[+] [-] TacticalCoder|3 years ago|reply
I totally know the feeling. I was there, I don't believe for a second that enrolling another key is an acceptable option and I solved that problem in a way that works for me.
You can clone your own security key if you're willing to deal with the problem that now becomes: "How do I safely store the secret allowing to restore another security key?".
I'm using paper seeds, split over several countries. A $5 wrench attack on my mom to have her open her safe won't be sufficient. The attacker would need to $5 wrench another half too, which my mom doesn't have.
Ledger Nano S (supposedly a cryptocurrency hardware wallet but I only care about the U2F support) has a U2F "nano app" installable on the key which shall do U2F (and webauthn, which is backward compatible from the device's point of view... It's not clear to me if it's going to work as a "passkey" too or not). They cost $79 or something.
They're using these kind of secure chips from STMicroelectronics: https://www.st.com/en/secure-mcus/st31h320.html
Ledger kinda knows what they're doing: their CTO was part of the original FIDO spec group.
Buy two of them, initialize them with the same seed. Make sure to secure your paper seed.
In my case the issue of "cloning and backuping a U2F/webauthn key" is solved. But it's a trade off: now I have to deal with storing the paper seed allowing to restore the U2F key.
In exchange for that hassle I get U2F everywhere (SSH being a big, big, big one) and my security keys are protected by a PIN (three wrong PINs and they reset to factory default). And I don't leave with the constant fear of losing my security key and being locked out of all my services / having to reset everything.
As an added bonus that Ledger Nano S has a tiny device telling you if you're registering or authenticating and it's telling you where you're registering/authenticating. It becomes very hard to trick you into registering/authenticating to a bad party.
Also for me to be really in trouble I'd need to both lose the ability to restore/clone another key and I'd need to lose access to the two security keys that are configured with the same seed.
That is highly unlikely.
[+] [-] xaduha|3 years ago|reply
> For now I'm using TOTP but it's a chore.
TOTP is your backup, I'd say most sites don't allow WebAuthn without TOTP enabled first.
[+] [-] lxgr|3 years ago|reply
You'll probably want a tamper-proof MCU instead (i.e. the type used on payment smart cards and SIMs), if physical access is a concern to you at all.
> without ability to backup it
Your backup can be another security key. If you are concerned about design flaws (of the reliability/durability kind, not security), you can get FIDO-certified keys from many vendors other than Yubico these days.
[+] [-] OJFord|3 years ago|reply
[+] [-] twawaaay|3 years ago|reply
You can have one for less than the price of Yubikey so there really isn't much excuse.
[+] [-] f4n4tiX|3 years ago|reply
[+] [-] vermon|3 years ago|reply
[+] [-] its-summertime|3 years ago|reply
[+] [-] sneakerblack|3 years ago|reply
If you follow DrDuh's guide, you should be able to set up the yubikeys in the way I described. I also created some provisioning scripts that automate the whole process which you should be able to use to provision the PGP applet:
https://github.com/santiago-mooser/yubikey-provisioning-scri...
Make sure to enable the export of the private key though!
[+] [-] sedatk|3 years ago|reply
[+] [-] aborsy|3 years ago|reply
An encryption, authentication and sign keg in a Yubikey is very useful.
Does anyone know if a Wireguard secret key could be transferred to Yubikey?
[+] [-] sam0x17|3 years ago|reply
[+] [-] stavros|3 years ago|reply
Pretty much the only thing I use a Yubikey for nowadays is U2F, and I might as well use any cheaper key for that, since they're all equivalent (Solo 2 even has much more space for resident keys).
I don't think there's much reason to get a Yubikey nowadays, especially if you don't need it for some specific use case (e.g. GPG). Just buy any cheap FIDO2-compatible key and you're good.
[0]: https://www.stavros.io/posts/making-a-security-key-for-the-f...
[+] [-] imiric|3 years ago|reply
I very much doubt this. Security keys are only used by a very niche community of security minded tech geeks. They're either unknown or very user unfriendly and a nuissance to the vast majority of tech users. Hell, I only use them because not using them is not an option, but I'm constantly annoyed with having to _think_ about them, rotate keys, manage passwords, etc.
While WebAuthn and passkeys are becoming more prevalent and standardized, and that's certainly a good thing, the future of increased security for everyone will not involve security keys. Most users will authenticate using their phone or biometric data, which will create passkeys for each purpose, stored securely in the background on a TPM-like device, and synced using traditional methods.
So security keys will remain a niche product, for those of us who don't trust these new authentication models, or have to keep managing passwords for likely many years to come.
[+] [-] jwr|3 years ago|reply
The new fangled ed25519 stuff simply didn't work for me.
[+] [-] mfsch|3 years ago|reply
[+] [-] mfontani|3 years ago|reply
I have 45 of those currently in my Authy account, which syncs on two phones for redundancy...
I'd love to use a Yubikey for this, but I'd have to split those accounts across multiple yubikeys, which would be quite a headache to maintain, especially if one wants redundancy...
[+] [-] doublepg23|3 years ago|reply
I was actually surprised at how little changes I needed to do, it “just worked” with the most sensitive accounts I had (1Password, Gmail, iCloud). Very cool devices.
[+] [-] curben|3 years ago|reply
[1]: https://f-droid.org/en/packages/com.kunzisoft.keepass.libre/
[2]: https://gitlab.com/kunzisoft/android-hardware-key-driver