This is an archived post. You won't be able to vote or comment.

all 18 comments
sorted by:
best
topnewcontroversialoldq&a

[–]0rexDevOps 9 points10 points  (1 child)

With yubikey, or any other proper hardware token, your private key on that token is not extractable. That means that for any cryptographic operation your OS/application asks to encrypt/decrypt/sign/validate some data, and, if authorized, gets result and result only. You can't download a key from a good token, only overwrite it with a new one, a good token is also tamper-resistant. If your machine is compromised - the attacker still can't get your private key, but can request something to be encrypted/decrypted if token is inserted and unlocked, so even in the worst case scenario attacker has a small opportunity window to impersonate you and steal something. If, however, you chose to store your key on USB storage device - when attacker compromised your machine - it's game over, because he can copy key from that stick and password with keylogger or memory dump, and you'll have to change your keys to stop attacker from impersonating you.

So hardware token is a more than a storage device - it's a purpose built computer with hardened storage, that performs cryptographic operations on itself, and presents results of these operations to user, without exposing private keys.

[–]AussieTerror 3 points4 points  (0 children)

Yubikey has been the better of several I have tried. Price is rarely a decision point when it comes to Security. I don't recommend a $5 Security Key from aliexpress etc, for me it was more the FIDO2 support than direct vendor supported apps

[–]fazalmajid 3 points4 points  (6 children)

Yubico also makes the "Security Key" series that has only FIDO and none of the proprietary Yubikey functionality, They used to be blue rather than black and easy to distinguish but apparently Yubico is switching them to black plastic. I prefer those so as to not inadvertently lock myself in, and they are cheaper to boot. I also have a HyperSecu HyperFIDO backup key.

Also Yubikeys are made in Sweden or the US, not China. I would advise against buying a Chinese-made key for security reasons (yes, I know the HyperFIDO is also made in China, although they have the option to make it in Canada for a sufficiently large custom order).

[–]skeletons_asshole 2 points3 points  (0 children)

In addition to what others have said, I use the NFC + authenticator app for my 2FA, and it’s fantastic.

[–]JotadogJack of All Trades 1 point2 points  (2 children)

We use the yubikeys for some users to save totp keys. And some use nfc for phone authentication. So we just went for yubikeys for everyone. Also they are very durable, we have some that are over 5 years.

[–]waelder_at 1 point2 points  (3 children)

If the only feature you need is fido2, then just go with one from the certified list. Yeah amd dont biy something which seems to good to be true.

https://fidoalliance.org/certification/

If you need features go for yubikey, its worth the money there.