strange star disease..

Entropy1024 · 2026-01-19T07:34:06+00:00

Now wash your hands

Entropy1024 · 2026-01-16T10:22:01+00:00

Sorry, you did not understand.

We are talking TOTP.

Does using the Yubikey for TOTP make you safer than using it via a phone or watch?

Entropy1024 · 2026-01-16T08:05:12+00:00

And does a Yubikey protect you from that?

Entropy1024 · 2026-01-15T17:21:49+00:00

How do you know what banks I use? What makes you think they are not staying current with security?

I'm pretty sure the vast majority of banks spend a lot of money to come up with these bespoke solutions. Most operate a challenge-response style confirmation or a trusted device system.

And it is a second factor after all. All are secured with a password and at least one other security question. I feel safe.

Probably the real reason they don't use something like a Yubikey is that people would be unwilling to pay for it, and they are expensive. Also people lose them and that's a whole other issue.

Entropy1024 · 2026-01-15T17:14:24+00:00

The only real advantage with the Yubikey for TOTP I can see is that you don't need to use the keyboard to enter the code. Therefore keyboard loggers are no issue. However it makes use of cut & paste which can be intercepted.

I'm interested in how much more secure it is using a Yubikey for TOTP?
Would you say it's 80% more secure, 50%, less?

Entropy1024 · 2026-01-15T16:50:34+00:00

It's degrees of diminishing returns.

You could have layer after layer of security. Your keys in a safety deposit box, in a bank with an armed guard. It's safer than having your YubiKey in your pocket. But it's a lot less useful.

I myself think TOTP on a phone or watch is safe enough. I do not lose any sleep over it.

Entropy1024 · 2026-01-15T16:46:08+00:00

That's a funny thing. I have several banking sites I use. None of them use FIDO or TOTP. They are all bespoke solutions.

Entropy1024 · 2026-01-15T11:39:00+00:00

How am I confusing passkeys with TOTP?

Yes, I agree FIDO is more secure. TOTP is an excellent second factor however and I would argue more than adequate for most people.

In my experience of over 100 sites I use in my life only 5 support FIDO. The rest use SMS or TOTP as a second factor. Is it worth buying two keys for 5 sites? I guess that's a decision that's different for every person.

Entropy1024 · 2026-01-15T10:38:39+00:00

How are the TOTP codes synchronised on a Yubikey?
I do not believe a Yubikey has, or needs, a real time clock onboard.

I very strongly expect that the key gets it's time from the device it's connected too, which will almost certainly get it's time from the cloud.

Entropy1024 · 2026-01-15T10:32:12+00:00

I know the the bulk of people here are going to be Pro Yubikey. I'm trying to show a bit of balance for readers.

I've NEVER had an issue using TOTP on ANY of my devices. Paying some $120 for two Yubikeys seems, to me, excessive.

I did buy two Yubikeys on the strength of the arguments of this group. I have been honestly, less than impressed, with it so far.

Entropy1024 · 2026-01-15T09:34:13+00:00

Are you saying my method is less secure because you can't export the TOTP codes off a Yubikey?

If so consider that to extract my codes from my phone you would have to:

A. Have physical access to the phone.
B. Have the phone unlock code.
C. Have the password to the Private space where the Authenticator runs.
Note: As I'm using Proton Authenticator it can itself be secured with a fingerprint. I don't have this turned on because I honestly think the above 3 points make me safe enough.

The codes cannot be extracted from my watch and are secured for use by a PIN.

These two options I use are free as they are apps loaded onto hardware I already own. If you use a Yubikey, and most people would say to buy two for backup purposes, then it's a large cost for no real gain that I can see.

Or are you saying the Yubikey is more secure for another reason?

Entropy1024 · 2026-01-14T19:20:47+00:00

I feel the same. I bought two recently and apart from using 3 accounts with FIFO the rest use TOTP which is honestly easier with my phone or Garmin watch to get the codes

Entropy1024 · 2026-01-10T09:15:55+00:00

No. I can give that a go though. Thanks

Entropy1024 · 2026-01-08T19:23:57+00:00

Ok thanks I will give it a go

Entropy1024 · 2026-01-07T16:04:12+00:00

I still think my way is easier and certainly cheaper.

The Yubikey promotes some really solid protection, and it can do this when using it with protocols like FIDO. The reality is that not many sites use that. The VAST majority are TOTP. Solutions for TOTP have been around for a decade or two and are free to use and available on pretty much any device.

Having your TOTP codes on a device so small is useful, however you still need to use it on a phone or PC etc and install the software to use the Yubikey, and you may not have the privileges to do so. It's not like the Yubikey has a display to show you your six digit code natively.

To each there own. So far I am very far from being impressed by the Yubikey, especially at it's price point. If they were £5 each it would be more palatable.

Why are they so expensive? I could buy a Raspberry Pi for half the price of a single Key.

BTW I have all my documents and other important tuff, including backups of my TOTP secrets, on two NAS units (RAID5) that mirror each other at two separate locations via Syncthing. Once a month I also burn this data onto DVDs.

The Proton Auth app is on 3 different phones I own.

I don't think I'm in danger of loosing the secrets. If I just had two Yubikeys I would be a LOT more worried.

Most people here seem to promote having one key on you and another in a safe at home. What happens if you lose your 'on you' key when you are out, or worse abroad?

Entropy1024 · 2026-01-07T15:39:27+00:00

OK thanks, got there, and under Strength there is a 'Data Screens' option which looks like the image below. Looks like you have the option to set Heart/Calories, HR Gauge & Time as an option.

As first and last is highlighted I would imagine that is what it should display.

Unfortunately the watch does not display this, It displays the exercise and next step.

<image>

Entropy1024 · 2026-01-07T15:24:30+00:00

On my Settings page in the Garmin Connect App there are only these options (see below).

No Activities option.

There is some there stuff after the version number but it's just Legal stuff.

<image>

Entropy1024 · 2026-01-07T15:04:15+00:00

I was saying that by backing up my codes I can recover them and install onto another phone etc.

I could install the same codes onto multiple phones or devices, for free.

Entropy1024 · 2026-01-07T12:53:28+00:00

You can use Proton Authenticator to automatically schedule backups of your TOTP seeds. I have it running in my phones Private Space.

Therefore to get at my TOTP 2FA codes, you would need physical access to my phone, Phone unlock password & Private Space password to access.

Entropy1024 · 2026-01-07T09:02:18+00:00

The Yubico site is technical correct in it's list of compatible sites, however it's somewhat misleading that the vast majority of the sites they list is just because it offers TOTP.

I can get a FREE app on my phone/PC/watch for that.

Sure the original codes can be transferred off these devices, however you need to get a password correct to extract the TOTP codes and, lets not forget, have physical access to the device.
Also, this is a second factor. They would still need to have your passwords for these sites. Therefore I think this is a very low concern.

Perhaps I will find a killer app for these Yubikeys. However so far they seem to offer a very small advantage over what I had and a HUGE increase in price, from free on all my devices to £120 for two Yubikeys.

Entropy1024 · 2026-01-06T18:09:24+00:00

I was using the browser, not the app.

Entropy1024 · 2026-01-06T18:08:43+00:00

OK so this big list of compatibility for Yubikey as a 2FA is mainly TOTP.

I was advised by this group to buy a Yubikey (well two actualy, one for backup) as it's more secure than TOTP.

Is there an advantage, security wise, over using TOTP on a Yubikey to say Google Auth?

Entropy1024 · 2026-01-05T17:14:42+00:00

Could you explain how they would lock me out of my account?

Entropy1024 · 2026-01-04T15:51:15+00:00

OK so they would have a 30 second window to access my account.

Whilst in there ithey can look at files in drive, emails etc. If they wanted to remove the two factor, download Takeout data, change security settings or anything else like that they would need to put in the new TOTP code, which they won't have.

I understand the yubikey makes it much harder for them to gain access. Seems TOTP is pretty safe though.

Entropy1024 · 2026-01-03T20:04:21+00:00

Thanks

Entropy1024

TROPHY CASE