Are hardware security keys worth it? If so, which to pick?

This isn't strictly a privacy question as a security one, so I'm asking this in the context of individuals, not organizations.

I currently use OTP 2FA everywhere I can, though some services I use support hardware security keys like the Yubikey. Getting a hardware key may be slightly more convenient since I wouldn't need to type anything in but could just press a button, but there's added risk with losing the key (I can easily backup OTP configs).

Do any of you use hardware security keys? If so, do you have a good argument in favor or against specific keys? (e.g. Yubikey, Nitrokey, etc)

delirious_owl ,
@delirious_owl@discuss.online avatar

Safer to use QubesOS and run keepass in a vault VM

federico3 ,

You are better off with an encrypted password store and a 2FA on a phone. You can back up both, easily, and they are both protected with fingerprints and/or global passwords.

ChallengeApathy ,

Don't go the fingerprint route if you care about your rights in the US. Biometrics, for some bizarre reason, don't fall under the fourth amendment.

johannesvanderwhales , (edited )

I bought a couple of yubikeys but haven't fully implemented yet. When 1password has full support for using a security key in place of a passphrase, I will consider using them as my primary unlock method.

I have to say that the Google Titan appears to be better bang for your buck than yubikeys. The FIDO2 yubikey is $55 which is pretty pricey considering you will probably want multiple. I'd be really curious if there's a strong argument against using the Google keys.

sugar_in_your_tea OP ,

The FIDO2-only device is $25 for USB A, $30 for USB-C and supports NFC. You only need the $50+ devices if you want Yubikey OTP, OpenPGP, etc, but if you just want FIDO and FIDO2, they're overkill.

johannesvanderwhales ,

So I get very confused over which protocol is which. I think the cheaper keys lack support for OAUTH. Which is required for things like windows login.

sugar_in_your_tea OP ,

Yes, they don't have OATH (not OAuth, that's a different thing), Smart Card, or PGP. I don't know what Windows uses (haven't used Windows in >10 years), but Linux can use FIDO IIRC.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • privacy@lemmy.ml
  • test
  • worldmews
  • mews
  • All magazines
    •