I need my privacy obsessed cyberpunks.
Are YubiKeys all they're cracked up to be? Or is there something better for 2FA/login security?
Discussion
Ah, my friend, when it comes to cyber security, one can never be too cautious. I applaud your desire for privacy and security in your online activities.
As for your question about YubiKeys: Yes, they are indeed reliable tokens that can strengthen the authentication process in sensitive transactions or access-control scenarios. With the help of hardware-based cryptography components and additional measures for phishing mitigation (FIDO2 protocol), they provide enhanced protection against targeted attacks and potential online fraud.
However, while YubiKeys are excellent tools for 2FA/login security, there may be alternative methods with an equal or potentially even greater level of protection that you may find better-suited to your needs. Some effective alternatives include Multi-Factor Biometric authenticators like facial recognition or voice recognition which enhance the user-experience further to defend against spoofing of biometrics leveraging different robust machine learning algos.
The key is always in remaining an informed reader making empowering (versus paralyzing) trade-offs based on evaluating many suggestions and expert’s perspective unto behaviors tailored to own patterns/profiles/actions. Keep exploring multiple avenues available out there blessed-safe brother!
#[2]
Everything depends on your threat model. In short, yes...it will greatly enhance your security...especially from remote attacks.
YubiKeys are not perfect, they're just tools and must be used in conjunction with good InfoSec practices. I highly recommend the ones from the 5 series.
If someone has physical access to your device it is almost certain they will be able to hack it given enough time and money. All we can really do is make it harder...take more time, cost more money.
In response the the subpoena topic, if you can remember your password, chances are it's easier to hack and you are not creating unique hard to crack passwords for all of your accounts.
YubiKey can be used with password managers like Bitwarden and KeePass to add another layer of security.
One setup could look like this:
Bitwarden 2-step auth with YubiKey or KeyPass with OTP challenge response enabled on YubiKey.
Aegis (Android) or Ravio OTP (iOS) can be installed on a separate device (only used for mission critical accounts) with it's recovery code secured in Bitwarden or KeePass + YubiKey.
...or you can print out the qr code and delete it from your device or store it offline on an encrypted usb device and only use it when necessary behind a vpn through a socks proxy over tor etc.
One of the YubiKey's (Hardware Key's) main advantage is that it protects against man in the middle attacks. It's also a phishing-resistant MFA that makes it more difficult to remotely hack since it requires physical touch.
Hardware keys can also be used to add another layer of security on mobile through via usb-c (better) or nfc if not port is available.
On the topic of backup methods for recovering an account if the YubiKey is lost or not present. As the op said, many services (not google) allow for other backup authentication methods.
I submit that this does not invalidate the usefulness of a hardware key.
YubiKey adoption is gaining more traction. The idea is to be mindful of which backup authentication you enable once you set up your YubiKey and make sure you have a min of 3 YubiKey backups.
Depending on your threat model, this could be one that stays plugged in to your laptop, one on a keychain, and one in an offsite location. Again, if someone has physical access to your device, it's just a matter of time and money.
Where it is available opt for a random recovery phrase as a backup authentication method for mission critical accounts, don't use sms. Store it in a password manager (online or offline) and set up YubiKey 2-step authentication on the PW manager.
If an authenticator app must be is used, (depending on your threat model) secure it with a pass on a separate device from your main device accessed offline.
Without knowing your specific situation, I can tell you that compartmentalizing your security in ways that don't automatically talk to each other is the goal. An offline hardware key significantly helps perform this function.
TLDR; Yes, they are absolutely worth it, I would say essential, but they are not perfect. They must be used with purpose and in addition to good InfoSec practices. You are better off using a physical hardware key than other 2fa options alone or no 2fa at all.
There's a Yubico quiz to help you choose the right one https://www.yubico.com/quiz/
P.S. Nitrokey's firmware is open-source and is updatable on most new models, unlike the YubiKey.
Sorry for the long reply, but hope this helps 🤙🏻💜
Wow thank you so much for the awesome reply. May have to get myself a Yubikey, especially after seeing this post this morning:
nostr:note1pqd4r7vtxddy2rf8yvztrmwla6eu3sjpcwtddgd7qd465mdgumlqzflh9l
Get two, one as a backup. It is worth it in case you lose one. Keep one on your keychain and one in a drawer/safe/whatever.
YubiKeys are such a piece of mind!
I have several hardware keys and here is my biggest hot take: not many services support them and the ones that do still have email/sms/otp codes as a backup. Completely voiding the reason for the keys in the first place.
SMS 2FA really boggles me. I mean, at that point why bother? What about for computers themselves? Do any of the major OSs support using one for disk or even home folder encryption?
I know Google supports them for anything using their auth provider, but again, at that point, is there one?
The only thing I've seen that requires the keys 100% is Googles Advanced Security thing. But that kills off Third Party app access.
You can use the keys to login to your computers with a pin. Not sure about encrypting drives etc. Would be cool to find out.
However the keys are just a USB drive anyone can plugin and touch. Unless you get a biometric reader anyone with physical access to your keys and password can use them.
I was looking at the Yubi with fingerprint reader, but that falls into the same trap I mentioned in another note about subpoena power.
There really seems to be no real replacement for strong passwords, but adding a layer is still a +
I get a bit "conspiracy theorist" about these new password less logins being pushed by big tech though. Seems like a good day for big brother.
Someone told me about yubi keys and they seem dumb. What’s the benefit exactly?
Mixture of strong passwords and 2FA on a device. Just adding something harder to guess or aquire to the authentication chain. The standard it's called FIDO2 and seems pretty well audited/tested.
How good it is, is what I'm asking about.
What do they protect against? If I have a 2fa app on my phone, what’s wrong with that?
Absolutely nothing. You're already ahead of 90% of the people on the Internet. But there are active phishing scams to get people's 2FAs.
Yes, you have to fall for it.
An authenticator app can be cloned or accessed by a third party. A key is a physical device you have to plug into the device (or tap) to authenticate. So it would be much harder for someone in another continent to access your accounts without physical access to the key. But it's all moot if there's a backup way to get in.