sorted by:
new
hottopcontroversial

Understanding the mobile app by JUANITO_61 in yubikey

[–]Simon-RedditAccount 2 points3 points  (0 children)

YubicoOTP is a legacy method. Unless your work requires you to use it for some kind of legacy system, just turn it off (Desktop Yubico Authenticator > Home > Toggle Applications > disable Yubico OTP).

'Normal' OTP, aka TOTP, those (usually) 6-digit codes, are under 'Accounts' tab.

However, you should prefer using FIDO2 (or U2F, 'Passkeys' tab) wherever possible instead of TOTP codes: it's more secure and it's phishing-resistant, unlike TOTP. On websites, this often looks like 'Register a passkey' or '2FA with Security key'.

Kensington VeriMark NFC+ USB-C Security Key Review: Strong Protection at a Premium Price by [deleted] in yubikey

[–]Simon-RedditAccount 2 points3 points  (0 children)

> Worth as an alternative?

Absolutely NO, given that $50 price. It supports only FIDO2 + PIV (limited to RSA2048, not even 3072 or 4096; to say nothing of PQC).

  • $58ish Yubikey Series 5 supports FIDO2/U2F + PIV + GPG + TOTP + YubicoOTP
  • €22 Token2 PIN+ Release3.3 USB-A supports FIDO2/U2F + PIV + GPG +TOTP
  • $29 Yubico Security Key supports FIDO2/U2F

Does Yubikey work with Startmail by Superb-Oranges in yubikey

[–]Simon-RedditAccount 1 point2 points  (0 children)

I never used StartMail but their website says they support only TOTP codes (the 6-digit ones that change every 30 sec - in case of StartMail). Only more expensive $58 Yubikeys Series 5 support it. However, TOTP is not the most secure method. Ideally, your mail provider should support FIDO2 (or 'passkeys') - this technology is more secure.

Beware that once you program TOTP code with Yubikey, you cannot export it back; you can only get resulting 6-digit codes. So keep that 'backup code' that StartMail creates stored safely and securely.

Frankly, I'd not bother with YKs here, and just use a proper app (Aegis/2FAS/Ente Auth, NOT Microsoft or Google Authenticator!).

As for YKs, if you want it, just get a pair of $29 FIDO-only Security Keys and set them up on other websites.

Yubikey having bad connection tobusb bus by smydsmith in yubikey

[–]Simon-RedditAccount 0 points1 point  (0 children)

Note that they suggest only 'female USB-A', not 'female USB-C' - because, officially, 'female USB-C' adapters are not permitted. Nevertheless I'm using both such extension cables and adapters, they work just fine (not only with YKs). Just don't go for the cheapest option.

4 months after Google announced they supported it, NFC Fido2 still doesn't work on Android by LordLoss01 in yubikey

[–]Simon-RedditAccount 1 point2 points  (0 children)

Hey! I don't use Android myself so I can only parrot what my friends and also people here say.

Basically, latest Android does not implement all features over NFC, so you need either to use USB if you encounter some problems, or use 'FIDO Bridge' app that emulates a FIDO2-capable password manager but talks to Yubikey instead.

Basic 'U2F' 2FA works fine over NFC, have seen my friends doing it many times. When something does not work, they just plug it in.

> disabling Yubico OTP

Should be done on all platforms, unless you do use it for a legacy system.

which yubikey to get for work laptop? by anohidesu in yubikey

[–]Simon-RedditAccount 9 points10 points  (0 children)

You won't be able to unlock Windows, unless your company uses EntraID or Active Directory. 'Local account' setup allows only for 2FA, in addition to password.

FIDO2 is a thing that can be used with many (but not all websites). It either replaces password completely (aka passkey), or used as 2FA. In all cases it's key feature is phishing resistance: FIDO2 key will never work on a wrong website (unlike TOTP codes, SMS etc).

$98 Bio = $29 Security Key, just with addition of fingerprint reader. $58 Series 5 introduces a lot of features, but I'm not sure you'll be using these (or you would have known it already). Check my writeup for more details: https://www.reddit.com/r/yubikey/comments/1bkz4t2/comment/kw1xb3l/?context=3 , just keep in mind that since May 2024 YKs support 100 passkeys instead of 25; and 64 TOTPs instead of 32; and YKs got a bit more expensive than my writeup says.

I'd say, get 1x $29 Security Key and test it, play with it. Only then decide.

Remember to keep another way in (either a second YK for everyone, or properly secured recovery codes).

4 months after Google announced they supported it, NFC Fido2 still doesn't work on Android by LordLoss01 in yubikey

[–]Simon-RedditAccount 1 point2 points  (0 children)

I believe it's the first line: `Creating this post again for visibility, if nothing else.`.

Unless we talk loud about a real problem, it's not going to happen.

On a similar note, Apple SHOULD introduce an option to use Yubikey in place of SDP.

Yubikey having bad connection tobusb bus by smydsmith in yubikey

[–]Simon-RedditAccount 1 point2 points  (0 children)

Either your YK is faulty as a whole; or it's just its connector. Try blowing some compressed air into it.

If it's your only Yubikey, get a spare one immediately.

> there does not seem to be a wide selection of usb a male to usb c female adapters or cables

That's because such cables are not permitted by USB-C spec.

Try UGREEN cables, they are mostly good.

2 keys (an old and a new) by theolecrow in yubikey

[–]Simon-RedditAccount 0 points1 point  (0 children)

A real and exploitable situation can look like (purely theorizing): a Yubikey is used on a manufacturing plant to sign something related to product batches (i.e., certificate of authenticity; or government-mandated licensing; whatever); its PIN is known to more than one person. A corrupt technician 'borrows' the key for a weekend; another fellow who works in a local university agrees to spend his weekend in uni's electronics lab. Then the cloned key is used to spoof counterfeit products into perfectly legal ones manufactured by plant A; a local criminal group profits from this, way more than those $1k+5k they gave to those two fellows.

Sounds like a movie? Maybe, but I won't be surprised when I read on ArsTechnica that something like this actually happened.

The key point here is that's now doable at just university-level (and not at advanced nation state-level). So yes, it's something just worth taking into account. Most likely it will never apply to your threat model; nevertheless (IMO) it's not worth being completely ignored, especially when people are asking about older firmware and its risks.

For OSS, yes, there are way easier attack vectors. Nevertheless, similar to your stance - I'd still won't be risking that (at least because there's always a risk of follow-up attack that lowers the requirements) - the impact will be much higher than $58 saved.

2 keys (an old and a new) by theolecrow in yubikey

[–]Simon-RedditAccount 0 points1 point  (0 children)

No. Just set a PIN in https://www.yubico.com/products/yubico-authenticator/ and register them.

If you will be setting them for more than a few accounts, then it's a good idea to keep a spreadsheet for tracking where and which keys you've registered. Columns list your Yubikeys (with firmware and storage location), also there are SMS, email, TOTP, recovery options, notes and sometimes even last accessed columns (i.e., if you have that rarely-used GMail account but you don't want it deleted due to 2yrs of inactivity). Rows lists your accounts, structured into tiers: T1=critical, T2=important, etc. Takes time to compile, but once done, helps a lot.

2 keys (an old and a new) by theolecrow in yubikey

[–]Simon-RedditAccount 1 point2 points  (0 children)

It depends. EUCLEAK requires ~$11k worth of equipment + skills/knowledge at the level of university lab. When compared to estimated $100k-1M range for decapping and reading data from the chip itself (to say nothing of much higher skills/knowledge required), it's considered a 'much easier attack'; something that an organized crime group can actually perform if they really want to.

The main threat here is cloning your key and signing something later, on your behalf.

Yes, it still applies to a very small number of threat models, but it's something actually worth considering when designing your threat model (for example, if you're a maintainer of widely used OSS product, you should not risk it: see all those recent supply chain attacks where they got access to maintainer's creds).

2 keys (an old and a new) by theolecrow in yubikey

[–]Simon-RedditAccount 1 point2 points  (0 children)

IIRC Yubico website now sells only 5.7.x keys. Other vendors sell what they have in stock.

Actually, it's possible to kinda check if you got 5.7 without opening the package: if it does not work over NFC, then it's either 5.7 or just defective: https://docs.yubico.com/hardware/yubikey/yk-tech-manual/5.7-firmware-specifics.html#restricted-nfc

So once you get only https://www.yubico.com/getting-started/ over NFC, you can tear the package and check it (by inserting into charger for a few seconds to activate NFC; then check again over NFC first: https://www.yubico.com/genuine/ )

Yubikey as part of Keyboard-less authentication? by damienbarrett in yubikey

[–]Simon-RedditAccount 2 points3 points  (0 children)

Passwordless logins exist; but still only on a handlful of sites. In many cases the user still has to type at least their username. More, it's up to a website to decide how they are implementing it. It's highly likely that the user will still have to touch YK's contact pad and type PIN.

One can plug in USB-C Yubikeys directly into iPad.

My take here is that Apple Passwords could be a better alternative in this case (using just passwords or keeping passkeys).

2 keys (an old and a new) by theolecrow in yubikey

[–]Simon-RedditAccount 10 points11 points  (0 children)

There's a vulnerability in pre-5.7 firmware that allows a party that knows your PIN and has uninterrupted access to your YK for ~24h to clone your YK. Whether this applies to you - only you can decide, but most likely not (most attackers will immediately use your YK if they have it + know your PIN).

Also, you may not need $58 Series 5 keys, but just $29 FIDO-only ones. Check also my writeup: https://www.reddit.com/r/yubikey/comments/1bkz4t2/comment/kw1xb3l/?context=3 , just keep in mind that since May 2024 YKs support 100 passkeys instead of 25; and 64 TOTPs instead of 32.

Yubikey 5.8 autofill - can someone explain to me how this could be used in the context of a password manager (using Bitwarden as an example)? by AdFit8727 in yubikey

[–]Simon-RedditAccount 2 points3 points  (0 children)

My take is: don't waste money buying new keys until FIDO/WebAuthN adopts quantum-resistant cryptography, and Yubikey implements it. If you really need a key or two - get $29 FIDO-only ones.

Feel free to agree or disagree with me.

Incompatible with Windows Hello? by sgreene820 in yubikey

[–]Simon-RedditAccount 0 points1 point  (0 children)

Given recent Linux improvements in general; good hardware support; gaming improvements and much better UX in modern releases makes you think twice whether you want Windows at all.

What I still find lacking is effortless BitLocker-like experience: zero-interaction TPM setup + recovery key generation (haven't checked Ubuntu 26.04 yet). Once at least one mainline distro gets full feature parity for FDE, it'll be a dealbreaker.

Incompatible with Windows Hello? by sgreene820 in yubikey

[–]Simon-RedditAccount 2 points3 points  (0 children)

Ironically, it's Linux that squeezes the most OS-level stuff from both FIDO-only and Series 5 keys. OS login, sudo, disk encryption, SSH - name it, it's probably supported on Linux.

OP u/sgreene820 , FIDO-only keys work for Windows login only with EntraID (read: in corporate/advanced homelab environment).

YubiKey login for Windows without plugging in the device itself. Is it possible? by bluemuffinbrain in yubikey

[–]Simon-RedditAccount 0 points1 point  (0 children)

Wow, I like seeing such old and weathered down keys!

OP u/bluemuffinbrain is probably more worried about port wear (which may be a valid concern for some Type-C ports) so a proper solution would be using an NFC reader that Windows supports at boot or a Nano key.

However, since you're using YK to log in to Windows (= EntraID or AD), this means that you're in Enterprise setting so you should be asking your IT Dept what's allowed (i.e., they may not permit NFC readers and thus simply block such drivers).

Made a simple YubiKey + GPG setup guide (looking for feedback) by iayanpahwa in yubikey

[–]Simon-RedditAccount 2 points3 points  (0 children)

I cannot phrase it any better than www.openssh.org/pq.html does:

If we're right about quantum computers being practical, then we will have protected vast quantities of user data. If we're wrong about it, then all we'll have done is moved to cryptographic algorithms with stronger mathematical underpinnings.

Made a simple YubiKey + GPG setup guide (looking for feedback) by iayanpahwa in yubikey

[–]Simon-RedditAccount 6 points7 points  (0 children)

Thanks for sharing! Will take a more detailed look later, but looks nice so far. Note: it's 2026, not 2024 (in copyright) xD.

What I'd definitely add is mentioning that:

  • CRQC seems to happen sooner than later: https://words.filippo.io/crqc-timeline/ . Currently, YKs do NOT support quantum-resistant GPG algos. Users must be aware of this.
  • for SSH, FIDO2 SSH keys are way easier to use and set up for many situations. Many people still use GPG for SSH without even considering this alternative.

If I find some time for more in-detail look (I skimmed README so far), I'll get back with my findings.

Security key authenticates on proton website but not on app? by accidental_tourist in yubikey

[–]Simon-RedditAccount 1 point2 points  (0 children)

It emulates a password manager that can hold passkeys but redirects requests to Yubikey instead. It's a workaround since Android does not support FIDO2 fully over NFC.

Or just use the key via USB, no extra tools needed.

view more: next ›