Get the top HN stories in your inbox every day.
vifon
sargun
The static password feature would actually be perfect with a few small alterations.
I use Apple's Advanced Data Protection product. This product gives you a 64-character code you must know. I am probably not capable of committing this code to memory.
I wish I could tell my Yubikey this code, and it would save it.
---
Now, as a US citizen, it is very hard for the government to compel me to disclose a password or a pin code. If the static password feature required a simple password (say 6 characters), with reasonable brute force prevention, it'd make it so that I have a way to protect myself. On the other hand, if it is not pin protected, there is nothing preventing the government from getting a search warrant for the Yubikey itself and using that.
atoav
Also: something you don't know is also something you cannot tell the person threatening you with the 5$ wrench¹
PaulWaldman
Aren't you always vulnerable in this scenario?
If you have your device in your possession, you also likely have your key in your possession in order to use your device.
thesuitonym
If your threat profile really includes the possibility of getting hit by a wrench, you can devise a means of destroying the key quickly.
toastal
Reminder: Yubico doesn't have a monopoly on security keys. Make sure your software/tutorials support the open-source alternatives like OnlyKey and NitroKey.
hnarn
Mullvad VPN has announced that their sister company "Tillitis"[1] is working on a really interesting key and it looks like it's releasing pretty soon (2023-03-23).
From the website:
>The TKey™ is a new kind of USB security key inspired by measured boot and DICE.
>TKey™s design encourages developers to experiment with new security key applications and models in a way that makes adoption easier and less risky forend-users.
>TKey™ is and always will be open source hardware and software. Schematics, PCB design and FPGA design source as well as all software source code can be found on GitHub.
[1]: https://www.tillitis.se/ -- also "tillit" is Swedish for "trust" and "mullvad" is Swedish for "mole" (the animal).
nyolfen
do any other keys have feature sets on par with yubikeys? last i checked they were ahead by a mile, the others i looked at were just fido2 keys
evil-olive
so far, Yubikeys are the only ones I've found that support both FIDO2 / WebAuthn as well as GPG smart card functionality for use with pass(1).
they also support ed25519 FIDO SSH keys, whereas all the cheapo FIDO keys I've tested only support ecdsa-nistp256, but that's a relatively minor difference.
Nitrokey 3 claims that GPG smart card support is planned in an upcoming firmware update. once that's released I may bite the bullet on shipping costs and order one. 55€ shipping to the US for a 49€ key is cost-prohibitive for the most part.
palata
> Nitrokey 3 claims that GPG smart card support is planned in an upcoming firmware update. once that's released I may bite the bullet on shipping costs and order one. 55€ shipping to the US for a 49€ key is cost-prohibitive for the most part.
They have been claiming many things. I pre-ordered a Nitrokey 1.5 years ago, still haven't received it, and apparently during this time they have not implemented much.
https://www.nitrokey.com/blog/2023/nitrokey-3-status-update-...
meepmorp
Also, yubikey works as a PIV smartcard
undefined
jrm4
If they don't, that's more of a reason to use the OTHERS? You really don't want a monoculture here.
nyolfen
i would be happy to use the OTHERS if they were comparable products
password4321
Not really keys, but hardware wallets like Trezor or Ledger can do a lot of this for ~twice the price.
idiotsecant
Hardware wallet authentication is really one of the 'web3' technologies that just works and we could be deploying everywhere right now. It's miles better than yubikey spitting out a static password, has plugins for every major browser and mobile device platform, can do identity verification without specific site account setup, and of course the whole pile of (optional) web3 things with crypto.
lxgr
There are definitely alternatives, but OnlyKey doesn't seem to use secure hardware and has a few other problems too: https://news.ycombinator.com/item?id=21884184
The backup functionality (which requires encryption password entry on a computer, i.e. not the device itself) looks especially concerning.
manmal
Safari seems to have its own implementation of a virtual security key also. Before I plugged in my Yubico recently, Safari asked me for my fingerprint as a fallback.
ojkelly
That’s part of WebAuthN[0]. Some services like AWS will not allow virtual U2F keys to be registered, but most places do.
[0] https://developer.mozilla.org/en-US/docs/Web/API/Web_Authent...
lxgr
Not exactly – WebAuthN is the browser/JavaScript API, which can be provided by both platform authenticators (such as Safari on iOS and macOS, Chrome on Android and macOS etc.) and hardware/"roaming" CTAP2-compliant authenticators.
WebAuthN specifices the browser API, CTAP2 specifies the interface between an authenticator device/software implementation and a browser or other client, and FIDO specifies the behavior of the authenticator itself (including certification of attestation-capable authenticators).
zikduruqe
It works for Safari.
For AWS, I use Firefox and a FIDO key, and have a backup MFA as Safari using U2F.
hsbauauvhabzb
I’m unclear as to why we can’t use some sort of tpm for webauthn and distributed encrypted passwords for synchronisation.
Hell, even software based implementations which force domain checking would solve 99% of the problem…
ilyt
Technically, we can just use client certs, YK supports them (via smartcard emulation, you can also use that to auth via SSH), just it wasn't really there, ever, on UI front...
sedatk
or SoloKey
sowbug
Unfortunately SoloKey doesn't work as an OpenPGP smart card, which means it's not a real substitute for a Yubikey. I haven't had any luck with resident FIDO2, either.
The Solo team believes that other functionality such as PIV overlaps with GnuPG use cases, so that OpenPGP isn't a priority, and their work on that functionality appears to have stopped in 2021. That's too bad, because OpenPGP's network effects far outweigh its pure functionality, which means a technical substitute isn't a substitute.
ptman
Unfortunately my solokey2 is buggy even with latest firmware. Hw is much better than solokey1.
But there are indeed alternatives to yubikey. Anyone have experience with https://www.token2.com/shop/product/token2-t2f2-fido2-and-u2... ? 128 resident keys is much better than 25/50
aareet
I've found Solokey to be unreliable. Recently, for example, I learned that the Solokey 2 can't be added to iCloud as a security key
pmw
I have multiple Solo Key 2 devices. (I bought a Kickstarter 4-pack.) I use one of them regularly, and I successfully added it to iCloud as a security key. It has been 100% reliable.
In August 2022 they released a major firmware update. Maybe that addressed the iCloud incompatibility and reliability issues?
fsflover
Or Librem Key.
imiric
Great, modern guide. Thanks!
While I have a few Yubikeys in a drawer somewhere, for years I've preferred to use an actual smartcard to store my keys. Sure, it only offers a subset of the features of a USB key, but I've found that I really only need to sign, auth and decrypt data. All the other fancy things like OTP, FIDO, etc., either have alternatives (e.g. pass-otp), or are just not used often enough. I haven't been in a situation yet where I _need_ to use a USB key.
Besides, the experience of using Yubikeys always annoyed me. The touch functionality was way too sensitive, causing many unwanted triggers. Having it always stick out made me nervous it was going to break. And the small USB-C version was often difficult to remove, while also taking up a USB slot.
Smartcards are nice since they're compact and stay neatly inside a laptop, and they use a separate interface for that purpose, instead of the generic USB. I wish more laptops had readers for them.
beagle3
Which card are you using?
Mindless2112
If you're looking for a FIDO smartcard, I've been using this [1].
imiric
On my laptop, this one[1]. While there's a model that supports NFC, I've found these don't work well with Password Store + OpenKeychain on Android. So I use a different unbranded one there. Don't remember where I bought it, but there's nothing special about it.
[1]: https://www.floss-shop.de/en/security-privacy/smartcards/
nextlevelwizard
I like the idea of securitykeys, but having to drop 100€ for a key (since in my opinion you are playing with fire if you don't buy a backup) feels like excessive and then having to worry that I remember to take my securitykey with me everywhere...
Yeah, yeah, security vs. convenience is always the issue, but so far I've just selected convenience.
vifon
> Yeah, yeah, security vs. convenience is always the issue, but so far I've just selected convenience.
In terms of the SSH and GPG keys which I use multiple times every single day for me this is convenience. I have my keys always on my person and they are tied to me, and not a particular machine. Whether it's my laptop, my desktop or my phone, I have a single pair of keys that are virtually impossible to steal even on a so-so trusted device like a proprietary phone.
When you start considering a security key as a portable credential storage to use across all your machines, it becomes actually more convenient, not less.
nextlevelwizard
I am just not at all paranoid about my SSH keys. Those are password protected and the worst that you can do with them is to run some low yield miner on my machines. I guess you could "steal" my source code, but I publish it free on github anyway.
Maybe convenient if you are administrator or something, but for normal life seems unnecessary.
However I can see the appeal of having everything behind a physical factor
Arch-TK
The cost is not really that enormous when you consider these things are pretty bulletproof, I've had one for about 10 years on my keychain. That's €5 per year. I am currently waiting for NitroKey 3 to have non-alpha OpenPGP SC support and will likely buy one as soon as it's available (although maybe I should buy one now to support development and maybe have a play around myself).
You don't need a backup unless you don't trust your hardware at home, just store backup keys on some trusted host, or offline on some storage media, you then only need to buy a new security key whenever you lose yours. Even so, if you DO decide to go the backup route, the backup is not likely to get list and very likely to last much longer than 10 years.
With security keys which have NFC capabilities, you can set things up so that accessing any website from your phone is only a tap away (you need to enter the pin before hand, or every time, obviously choice of convenience here is up to you but if your phone itself is secure enough then maybe this isn't such an issue to keep the pin cached while the phone is on).
joshvm
You can also use the cheap ones, they work just as well for consumer purposes: https://www.yubico.com/ch/product/security-key-nfc-by-yubico...
The only irritating bit is when you don't have USB-A (there is no A+C stick). But with NFC at least you can use your phone.
I've yet to find a place (in my life anyway) where FIDO isn't accepted. Secures the main things like Google, Namecheap, etc.
lxgr
That's one reason why I prefer USB-A security keys (it's just more ubiquitous at this point, and A-to-C adapters are readily available, while the reverse is out of USB spec).
The other is that USB-A has all moving parts in the socket (vs. in the cable-side plug), which presumably makes a USB-A key more reliable.
I've had USB-C keys break on me mechanically, so having an A-to-C adapter with moving parts on both sides seems like the best of both worlds (durable security key, durable device-side port, easily replaceable adapter).
sverhagen
>a backup
>convenience
I always wonder how often someone gets into a crisis because their Yubikey breaks while they're at, say, a conference (ie. far away from the backup, be it another key, or access to recover codes). I recon they can just break when plugged into a laptop that takes a dive.
donkeyd
Most people have only their phones, which can also break. But some people only start thinking about that stuff when they look at alternatives like the Yubikey.
> they can just break when plugged into a laptop that takes a dive
So can the laptop at a conference. Or anything else really. I just remove my Yubikey after use and carry it in my wallet when not in use. Sure, I can lose my wallet, but I have multiple back-up options for the Yubikey, I mostly use it for convenience.
nextlevelwizard
In normal life losing access to your phone won't lock you out of everything. You still have all your other devices you can use AND you can always just walk into store and buy yourself a replacement and download your phone back from a backup.
Same with laptops. If you go to a conference and your laptop breaks. You can just go to nearest store and buy a new one. It will take couple hours, but you'll be up and running again.
With security key if you lose it you lose access immediately to your stuff and you probably can not get a new one with in 24 hours even if money wasn't an issue. Also after you get the key there is no way to authenticate yourself to the key in a way that you can just make it a copy of your previous key.
Wallet is the best example. If you lose your wallet you need to kill your credit cards and get a new ID. However this does not lock you out of anything. You can go to your bank and take out whatever amount of money you need and order a new card, this will be inconvenient for about week. With your ID it depends on the schedules. However there is clear path to recovery.
goodoldneon
YubiKeys are more fragile than phones. One time a drop of water got on my plugged-in YubiKey and it stopped working for 2 days
dale_glass
I've been using them for a long time and so far it's never happened, but yeah, the USB A version looks potentially vulnerable.
The USB C version looks more solidly made.
krupan
Yubikey hardware is surprisingly robust. Mine has been on my physical keychain for years, getting thrown around and banged up and it’s fine
ixwt
If you setup a domain to use Cloudflare, and then sign up for their zero trust system, you can get a code to get up to 4 yuibkey's for $10 each.
jrib
Is this still the case?
I came across this blog post about a similar offer: https://blog.cloudflare.com/making-phishing-defense-seamless...
but it now states:
> UPDATE: This offer expired on January 3rd, 2023 at 8am PST.
ngai_aku
Yeah, I don’t think it’s live anymore. I had the same feelings as gp re: up front price, so I went searching for deals and came across that cloudflare offer on Reddit. Several users have commented on the thread post-January 3rd stating that they tried and failed to unlock the deal
thesuitonym
Are these the good Yubikeys or the basic FIDO-only models?
piperswe
Back when this promo was still going on, they were the good ones
agotterer
I’ve carried a USB-A Yubikey in my pocket for 7 years and it’s never broke. I also keep one time login passwords encrypted and available in the cloud in the event I lose the key.
lxgr
I've had one USB-C key break on me in the past, and my replacement is already showing signs of wear. Fortunately it's not my only way to get back into my accounts if it breaks.
My (sample size 2) theory is that USB-C isn't the best connector for a security key, since it intentionally moves the wear-prone part (i.e. the dust-collecting and mechanical spring involving side) from the port to the cable.
USB-A is completely solid state, and most security keys use the "flat" variant of the plug that further reduces the chance of mechanical damage and/or collecting dust.
vladvasiliu
For a security key, sure, it's better for that side of the USB port to be more resistant.
But on the PC side, my old HP laptop used to have extremely tight USB A ports. I'd have to pull ridiculously hard on cables to disconnect them. Now the ports are fairly loose, to the point that my external drive sometimes disconnects...
The yubikey kinda dances around in that port. Luckily, I don't move the laptop too much, so the key tends to stay put, but it sometimes does lose contact out when I need to touch it often.
fullstop
You can buy dust covers for USB-C male connectors.
hot_gril
Flat USB-A security keys are nice. But I've yet to subject mine to the bus test.
Hesinde
I solve the issue of forgetting my key by having a key constantly attached to my keychain with a keychain clip except when its in use with my notebook. This means that I have three keys - one on my keychain, one on my main computer, and one for backup.
Also I have my passwords synced to my phone, which could serve as a mobile backup in a pinch. I currently have it configured to require the key, but I should probably change that now that I think about the possibility of losing the key.
Using the key is more convenient to me than not using it, because it saves me from having to remember and enter a long master password.
ptman
https://www.token2.com/shop/product/fido-bundle-2-x-fido2-us... ? or https://www.token2.com/shop/product/token2-t2f2-typec-fido2-... , but there's no 2x bundle.
jonas-w
For full disk encryption, if you use systemd and not another init system, i'd also recommend systemd-cryptsetup, it's already installed on your machine if you have a relatively new systemd (at least 248). With systemd-cryptsetup you can use fido2, and your normal fido2 pin, to unlock your LUKS drive.
This also works with the YubiKeys "Security Key" series, that only have fido2 and no otp/chalresp.
kccqzy
I actually considered that setup but decided against it. The thing is, if I did this, I would eventually succumb to convenience and would plug the key into the machine at all times. But that defeats the purpose: if a thief steals my computer they can just tap the key rather than know my password to unlock my disk.
jonas-w
You normally have and you should have a fido2 pin, which is just a password. A thief would need your laptop, your security key, and the fido2 pin.
Here is an article (from yubico) about fido2 pins: https://support.yubico.com/hc/en-us/articles/4402836718866-U...
saltcured
This part can be frustrating for a novice adopting security keys. The key works out of the box without PIN. If you didn't come across the right guidance, you already enrolled keys without a PIN and now discover that you need to unenroll everywhere, set a PIN, and enroll again. And even with proper backup keys etc., it can be worrying whether you've forgotten some corner case and are about to lock yourself out somewhere by setting the PIN.
lakomen
Your paranoia is getting out of hand, seriously. 2FA here, OTP there. Idk about you, maybe you do have such sensitive data that you have to double guard everything, I and the usual average guy doesn't.
Why do I care? Because this craze has already reached the real world. Amazon requiring 2FA on deliveries. Wtf is wrong with my passport or other document? Nothing. Now I have to be physically present and recite some fucking code they sent my via fucking email or app if installed.
I can't log in anywhere anymore without having to double prove that the password and email is indeed mine. STOP THIS MADNESS ALREADY!
wink
My World of Warcraft account had been secured by 2FA 10y earlier than my bank account.
The good thing is, the launcher app on _my_ PC got the feature (a few years ago) that I only need to use the actual 2FA fob once every few months, not every time I login. It protects me against the most common case (someone logging in with my account/stealing my account) while not getting in the way at all. Unless someone breaks into the apartment, but I'll take that risk.
Still wondering what's wrong with most orgs not even offering the user the choice of "no 2fa/2fa everytime/whitelist this one device for $period".
bombcar
The whitelisting is really nice, and it's expanding more and more. I like "login once per device".
aranelsurion
> Amazon requiring 2FA on deliveries.
That's probably not about information security, it's simply Amazon not trusting the gig economy delivery worker enough with an expensive package, so they give you a number only you know and he doesn't, and that's how they verify that he has to interact with you before marking the delivery as done. It's to prevent a common kind of theft.
(I'm not talking out of any inside knowledge on the process, just thought that'd be the reason)
ioseph
My work recently changed the password length requirement to 16 characters, 2FA now requires typing in a number and you automatically get deauthenticated every 12 hours.
I really feel there's got to be diminishing returns for such policies
manmal
I really hope PassKeys will be implemented everywhere soon.
ryokeken
where does amazon requires 2fa for deliveries or be present for it? in nj/ny doesn't seem to happen
aranelsurion
in Germany they do, but afaict usually only for expensive packages.
sheerun
I really would like to use it, but without ability to backup it, I don't wanna. I've read some time ago Yubikey of some other company showed initial spec, but I never heard any followup, I don't remember the link. For now I'm using TOTP but it's a chore. Salesforce Authenticator has nice idea with custom push-based protocol, but it's not running on dedicated hardware. I think ESP32 S3 has hardware potential to act as security has as it has e-fuses and has enough umph for cryptography, it would be interesting option to see (maybe with optional wifi/bluetooth faraday cage on it)
dale_glass
The backup plan is mostly having a backup key. The whole point is that there's a secret inside the key that can't be stolen, and that means there's no way of exporting it either. Most services I deal with allow registering multiple keys. Some like Paypal don't, but allow having both a key and TOTP so you can use TOTP as a fallback.
For convenient TOTP, you can try this one: https://www.themooltipass.com/
It mostly acts as a keyboard (bluetooth or USB). It supports TOTP, and will type it out for you. It has an internal battery and for TOTP the clock is set by the management application for it.
Mindless2112
Here [1] is Yubico's draft WebAuthn recovery ("backup authenticator") extension spec, which is possibly what you're thinking of.
EvanAnderson
I'm with you re: backups. The whole "just have a backup key" methodology seems tediously manual and fraught with opportunities for error/laziness.
I've been looking into OnlyKey[0] recently. It seems to have sensible backup functionality at least.
Using something The Mooltipass[1] (USB HID password vault w/ TOTP support that has a sensible backup strategy) comes closest to what I want, but not quite close enough. (I'm disenchanted with it because it seems to lean heavily on an app on the host computer for functionality.)
lxgr
> It seems to have sensible backup functionality at least.
The backup functionality seems to completely negate all security benefits of using separate/minimal security key hardware, since it requires passphrase entry on a computer and then exposes the backup file encrypted under that passphrase to the same computer.
EvanAnderson
You commission the device on an air-gapped device. If you type the password on a network-connected computer you’re doing it wrong. Bonus points for physically destroying the computer you commission the device on.
It’s just like commissioning an HSM.
TacticalCoder
> I really would like to use it, but without ability to backup it
I totally know the feeling. I was there, I don't believe for a second that enrolling another key is an acceptable option and I solved that problem in a way that works for me.
You can clone your own security key if you're willing to deal with the problem that now becomes: "How do I safely store the secret allowing to restore another security key?".
I'm using paper seeds, split over several countries. A $5 wrench attack on my mom to have her open her safe won't be sufficient. The attacker would need to $5 wrench another half too, which my mom doesn't have.
Ledger Nano S (supposedly a cryptocurrency hardware wallet but I only care about the U2F support) has a U2F "nano app" installable on the key which shall do U2F (and webauthn, which is backward compatible from the device's point of view... It's not clear to me if it's going to work as a "passkey" too or not). They cost $79 or something.
They're using these kind of secure chips from STMicroelectronics: https://www.st.com/en/secure-mcus/st31h320.html
Ledger kinda knows what they're doing: their CTO was part of the original FIDO spec group.
Buy two of them, initialize them with the same seed. Make sure to secure your paper seed.
In my case the issue of "cloning and backuping a U2F/webauthn key" is solved. But it's a trade off: now I have to deal with storing the paper seed allowing to restore the U2F key.
In exchange for that hassle I get U2F everywhere (SSH being a big, big, big one) and my security keys are protected by a PIN (three wrong PINs and they reset to factory default). And I don't leave with the constant fear of losing my security key and being locked out of all my services / having to reset everything.
As an added bonus that Ledger Nano S has a tiny device telling you if you're registering or authenticating and it's telling you where you're registering/authenticating. It becomes very hard to trick you into registering/authenticating to a bad party.
Also for me to be really in trouble I'd need to both lose the ability to restore/clone another key and I'd need to lose access to the two security keys that are configured with the same seed.
That is highly unlikely.
sowbug
Have you tested this solution? Unless something has changed since the initial spec, each handshake includes a usage counter, which the relying party sees and is supposed to remember. If the usage counter ever fails to increase, then that means something weird happened (like two keys acting as one), and the site can reject you.
There are crude ways to deal with this issue, which are fine if you intend for the second to be used only in case of emergency.
xaduha
> I really would like to use it, but without ability to backup it, I don't wanna.
> For now I'm using TOTP but it's a chore.
TOTP is your backup, I'd say most sites don't allow WebAuthn without TOTP enabled first.
lxgr
> ESP32 S3 has hardware potential to act as security
You'll probably want a tamper-proof MCU instead (i.e. the type used on payment smart cards and SIMs), if physical access is a concern to you at all.
> without ability to backup it
Your backup can be another security key. If you are concerned about design flaws (of the reliability/durability kind, not security), you can get FIDO-certified keys from many vendors other than Yubico these days.
OJFord
I was hoping to find how to change the number of GPG passphrase/PIN retries (the default of 3 is panic-inducing after just fat fingering it once) - I did it on one of mine some time ago, but haven't been able to figure it out again recently for another one. Sorry, it's a bit of a tangent, but if anyone happens to know?
upofadown
According to this:
* https://github.com/drduh/YubiKey-Guide#configure-smartcard
... it is:
gpg --card-editOJFord
Ah, thanks, it is described at the bottom of that section, but it's actually:
ykman openpgp access set-retries 5 5 5 -f -a YOUR_ADMIN_PIN
Now, do I know my admin PIN...
computerfriend
No, it's the number of retries for the PIN, reset PIN and admin PIN.
denysvitali
By default it is 12345678 IIRC
twawaaay
Missing from all this: a dedicated machine running Linux to set everything up. I have an old beat up Thinkpad that I use exclusively for critical stuff that would really hurt me if somebody hacked.
You can have one for less than the price of Yubikey so there really isn't much excuse.
lxgr
What's the benefit of that?
The entire point of using a security key is that its security model can survive a point in time compromise of the device you are connecting it to, i.e. a compromise only persists as long as a (hopefully short-lived) session. But if a single session compromise is unacceptable to you, by the same token a security key can't protect you against that.
The only instance where a "more secure" computer might be necessary that I can think of is using a GPG smartcard (which the Yubikey supports) and importing a software key to that, as opposed to generating the key on the smartcard itself.
twawaaay
Whatever security system you have there is always a problem of original sin. This is when attacker happens to be present and prepared to hijack your initialisation process.
If an attacker has unrestricted access to your laptop or phone and you are trying to use this device to set up say your AWS root account, no amount of Yubikeys will help you. They can essentially craft everything you are seeing on the screen and intercept everything you are typing in. What they do with it only depends on their imagination but with the advent of AI powered tools I expect hacking tools are going to get much "smarter" very quickly.
A coworker lost all money he saved for many years for the downpayment on his apartment. He used his laptop to manage his banking and his phone to receive SMS messages. He logged in to his banking from his phone JUST ONCE. That was enough. Apparently, he had some kind of malware on his phone that was waiting in hiding for this exact occasion and the moment he logged in it intercepted the credentials and was able to transfer money out of his account with the codes he got on the same phone. It wasn't even targeted attack. And it was 10 years ago.
And as far as Yubikeys I would suggest they matter less than people think. They are useful concept but only if services providing MFA capability implemented it correctly. And as far as my experience goes, no large service I use at the moment implements this correctly.
The biggest problems are usually defaulting to SMS/email code if you indicate you've lost your Yubikey. Even for services that don't do this, there is usually some way to recover access anyway.
I have lost both my root password and two my yubikeys to my AWS account. Guess what, couple phonecalls later I got my access back. It was stupid for me to loose my credentials (but it was empty account at that time) but it is not inspiring confidence in me that anybody with just the access to my phone number and possibly couple scraps of personal information can recover full access.
My strategy right now is to compartmentalise critical services that I use -- use separate device to access them, never use my other devices for this, use separate email and separate phone numbers. Never reveal to anybody the email and phone number. Never put anything that could create any interest for those services, emails, phone numbers, etc. Yubikeys are nice gimmick (that I use daily) but I honestly don't see them as doing much for my security.
lxgr
> If an attacker has unrestricted access to your laptop or phone and you are trying to use this device to set up say your AWS root account, no amount of Yubikeys will help you.
They will absolutely help against a persistent compromise of my accounts. For example, I can check all registered security keys from a different machine and network.
If only the ones I expect are present, I can click the (hopefully present) button "log out all sessions on all devices" and be reasonably certain that, at least from that point in time, nobody else has account access. And I can make sure that all of the ones present are in fact my keys by trying to authenticate with all of them.
Registering a new key will hopefully also trigger a big scary warning email/SMS/fax to me and/or additional security contacts.
> Even for services that don't do this, there is usually some way to recover access anyway.
As a user, I sure hope there is – it would be genuinely frightening to know that my account is unrecoverable if I lose all security keys linked to it! Hopefully, that process involves a lot of red tape and not just an SMS-OTP or sending a blurry scan of my birth certificate to an e-notary several timezones away.
f4n4tiX
For OTP secrets, you could add my yubikey-otp tool, which is a CLI tool for searching and adding otp secrets stored on your YubiKey to your clipboard: https://github.com/MarkusZoppelt/yubikey-otp
vermon
Since it mentions age and rage: there is also dage, a Dart implementation https://github.com/Producement/dage . Also there is age-yubikey-pgp which uses dage to allow you to use X25519 for file encryption/decryption https://github.com/Producement/age-yubikey-pgp
its-summertime
The thing missing for me is, how to set 2 yubikeys to be functionally the same, to make having a backup key easier (for situations where no data is added to the key)
sneakerblack
It really depends on what you want to do with the yubikeys. If you're just using the PGP functionality (like SSH-ing and signing git commits) all you have to do is upload the same private (sub)keys to the two yubikeys and they'll be functionally the same*. I wouldn't know about other (more advanced) features though.
If you follow DrDuh's guide, you should be able to set up the yubikeys in the way I described. I also created some provisioning scripts that automate the whole process which you should be able to use to provision the PGP applet:
https://github.com/santiago-mooser/yubikey-provisioning-scri...
Make sure to enable the export of the private key though!
Get the top HN stories in your inbox every day.
> I don’t see any use case or security benefits by using the static password feature. Even if you enter a password manually and concatenate it with the password of the Yubikey, a keylogger still gets both parts (assumption: You don’t reuse passwords).
If keylogger is what you're defending from, yes, it doesn't help. And in this scenario you've probably already lost.
On the other hand, it makes a large portion of the password immune to video-recording you typing the password in. Yes, it's technically trivial to then steal your Yubikey, extract the static password and combine it with the recorded one, but these are still quite some extra steps.
My point is, if a particular service or application doesn't support anything more refined, using a static password as a pepper[0] is perfectly fine and still an improvement over not doing so.
[0] https://en.wikipedia.org/wiki/Pepper_(cryptography)