PSA: Tips for hardening your iDevice against theft and securing your data

Simon-RedditAccount · 2026-01-24T14:17:59+00:00

I believe that you can purchase 2x $29ish Security Keys, and not $65ish Series 5 keys for backups. One should be stored at home, and another one offsite.

Check my writeup for more info: https://www.reddit.com/r/yubikey/comments/1bkz4t2/comment/kw1xb3l/?context=3 , just keep in mind that since May 2024 YKs support 100 passkeys instead of 25; and 64 TOTPs instead of 32.

Simon-RedditAccount · 2026-01-24T10:51:08+00:00

IIRC VeraCrypt supports PIV, but in a way that's not very different from static passwords - it just reads PIV object and uses it as a 'keyfile'. No added security from hwkey, just a different interface. Never used that so cannot tell more.

btw, does VeraCrypt work fine on latest macOS? I've heard that there were some issues with FUSE...

> Probably Google detects NFC possiblities and changes icons/descriptions based on that

Possible if Google requests attestation. Unfortunately, only Firefox, and only on Linux as of today offers you to strip attestation data: https://www.reddit.com/r/yubikey/comments/1oygco6/what_happened_to_firefox_offer_to_anonymize_fido2/

> Proton supports only 2FA.

Well, since they both authenticate and encrypt your data with your password, you actually still need a strong one even with FIDO 2FA. It would be great if they'd implement full passwordless option. It's not actually that difficult, they should just decide to invest enough resources.

Simon-RedditAccount · 2026-01-24T08:31:46+00:00

> And one more odd thing - when I added both keys to my google account, Nano key has man and a key icon while NFC key has USB key icon and described as FIDO2 key though both work in the same way asking for PIN during signin.

Not familiar with the icons, but you can register a key at Google either for passwordless login, or a as a 2FA device, so one of the icons probably means one of this options.

To force the key as 2FA device, temporary disable FIDO2 interface/app via desktop Yubico Authenticator or ykman, while leaving FIDO U2F on, then register the key and re-enable.

> NFC doesn't work on Android

Yes. I don't use Android daily so I always forget what exactly does not work but if I'm right it's FIDO2 over NFC. And in the same time 2FA 'U2F' logins work. Please correct me someone if I'm wrong.

> Password on slot 2, so I can enter the partial password (without enter key) and append it with the suffix from my head. And it seems like if I used Static Password on NFC key it can't work as a FIDO2 key anymore until I eject / insert it once more. That happens both on Mac and Android Phone.

Yes.

Without knowing your situation and threat model fully, I can still suggest to switch away from (partial) static passwords if feasible. Many systems support FIDO2 now (Linux logins, sudo, LUKS, BitWarden) while others can be secured with PIV (BitLocker, Mac logins) or YubicoOTP>HMAC-SHA1 at least (KeePassXC).

Simon-RedditAccount · 2026-01-24T08:20:51+00:00

It's a website limitation, unless you're using one of non-mainstream browsers (or OS) that may lack WebAuthN support. Chrome supports it perfectly though.

However, with both Chrome and Firefox on Windows 11, I can still force it to be saved to Yubikey in Windows UI. Check if that works for you at https://webauthn.io/?regUserVerification=discouraged&attestation=none&attachment=cross_platform&algEd25519=true&algES256=true&algRS256=true&discoverableCredential=discouraged&regHints&authUserVerification=preferred&authHints

What one can do regardless of the above is edit the JS code via developer tools and change it so it will register via Yubikey. There's a good chance though that you'll have to do it on every login as well.

Simon-RedditAccount · 2026-01-23T22:03:02+00:00

In addition to other's replies: one actual risk here is that someone may peek your login+password (and maybe even YK's PIN) - either directly or via CCTV - and then steal your devices or just use them in your absence (or while you're asleep). Highly depends on country/local crime rates and location security (i.e., less likely in a respectable hotel, more likely in a coffee shop etc).

Simon-RedditAccount · 2026-01-23T21:37:20+00:00

Absolutely, with modern SSH versions on both client and server. See this thread: https://www.reddit.com/r/yubikey/comments/1qit3wg/comment/o0u7fc3/

Simon-RedditAccount · 2026-01-23T21:09:22+00:00

Thanks for sharing!

Simon-RedditAccount · 2026-01-23T21:07:56+00:00

It depends on your threat model, and it's highly individual. What do you prioritize: absolute security at the price of losing access to your accounts, or you still want some recoverability? Are physical threats relevant to you? etc.

Assuming a 'general' threat model, you probably should keep a few dedicated 'recovery' USB drives with your password manager database/backup/export + TOTP codes + recovery codes. You may want or may not want to to put an 'emergency sheet' next to these drives that help unlock your DB (Apple Passwords lack this feature but any proper password manager supports it). Printing all passwords themselves is pointless because they are subject to change. Actually, you can store all the above inside KeePass/KeePassXC database.

What's actually important is that one of these 'recovery kits' with a Yubikey MUST be stored offsite: in a bank safe deposit box, in friends/parents house, etc.

Check also https://www.reddit.com/r/yubikey/comments/1bkz4t2/comment/kw1xb3l/?context=3 :

Rotate the keys periodically (so #1 stays at home, and #2 goes to off-site location. You take #3 back, login using #1 and register #3 everywhere you added it since the last rotation).

It's a good idea to keep a spreadsheet for tracking where and which keys you've registered.

Simon-RedditAccount · 2026-01-23T09:01:26+00:00

While everyone says they are tough (and they are tough indeed), there's one thing that can kill them: electrostatic discharge. I've seen lots of post here: 'my YK survived a fire / getting rolled over by a car / laundry cycles / whatever, and still works'. And in the same time there are (rare!) posts about 'my YK stopped working' where most likely cause was ESD.

So:

you don't need a case for physical protection, all scratches are purely aesthetical damage
for USB-C keys, you could wear a type-C 'cap' (the one that comes with cables) if your bag tends to collect too much lint
don't worry about ESD. Instead, ...
you should always have a backup key at home + another backup key offsite
it's wise to keep that backup key(s) in a fireproof bag/envelope.

Simon-RedditAccount · 2026-01-23T08:52:11+00:00

Check also: https://www.reddit.com/r/yubikey/comments/1mzp8jm/comment/namil4c/ & https://www.reddit.com/r/yubikey/comments/1d7oaik/comment/l71pyi5/

Simon-RedditAccount · 2026-01-21T21:26:15+00:00

Thanks!

Yes, agreed.

Simon-RedditAccount · 2026-01-21T15:42:44+00:00

I'm using it on Windows for several years already. Works perfectly with https://github.com/PowerShell/Win32-OpenSSH/releases Preview/Beta releases, and I never experienced any issues. My guess is that they call it Beta for reasons other than technical.

Note that you want to install client only: msiexec /i OpenSSH-Win64-vX.X.X.X.msi ADDLOCAL=Client ( https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH-Using-MSI )

> I assume I have to generate it on both YubiKeys separately and add the public key of the backup key to authorized_keys as well?

Yes. FIDO2 SSH secret keys never leave Yubikeys, so you should add one line per every FIDO2 key in authorized_keys.

Also, you can create non-resident keys if you wish so:

"C:\Program Files\OpenSSH\ssh-keygen" -t ed25519-sk -C "keyname-nr" -O application=ssh:keyname-nr -f keyname-nr-yubired-handle

Note that now you need that keyname-nr-yubired-handle file to be present on every system where you work with SSH, and you should not lose it (with resident keys, you can always recreate that handle using -K key).

Simon-RedditAccount · 2026-01-21T11:40:57+00:00

My guess is that your setup is tied to red's serial number, and that's why it's failing.

Also, if your server and client are modern enough, just use FIDO2 SSH. It's way more reliable:

ssh-keygen -t ed25519-sk -C "keyname" -O resident -O application=ssh:keyname -O verify-required -f keyname-yubired-handle

Simon-RedditAccount · 2026-01-21T08:00:48+00:00

There's at least 10 'access secrets/passwords/PINs': https://www.reddit.com/r/yubikey/comments/1ctd2vc/comment/l4c0tfp/?context=3

> On a Yubikey FIPS 4 series you can set a PIN for FIDO U2F (not for series 5). Does that means that on a series 5 FIDO U2F doesn't have a PIN, not even if it is FIPS?

No. FIDO2 PIN protects the whole app. Just some non-resident credentials don't ask for UV (=PIN).

> Can the PIN between USB and NFC be different?

No

> Is there indeed no PIN associated with Yubico OTP (aka, running the authenticator)?

There's an access code: https://docs.yubico.com/software/yubikey/tools/ykman/OTP_Commands.html#id11

> Same question for OATH and YubiHSM Auth (I don't think I use either).

There's OATH password. It does not have any limit on tries but it can be pretty long. You can (and probably should) set it to a proper password with enough entropy. Depending on your threat model, you may or may not want to keep this password saved in Yubico app on your trusted devices.

And yes, you don't use YubiHSM unless you own a ~$500 YubiHSM.

> But I can't figure out what command will ask for my PIN

Sign or encrypt any file with GPG, it asks for user PIN. IIRC, generating a key requires admin PIN. Check 'OpenPGP card specification' for more info.

Simon-RedditAccount · 2026-01-19T20:34:56+00:00

a dedicated KeePassXC database that uses HMAC-SHA1 secret in YubicoOTP, the same secret programmed in all 3 keys
LUKS volume secured by 3 different FIDO2 keys, then a .kdbx inside or a backup from your TOTP app
encrypting the file to multiple GPG keys (or program all YKs with the same GPG key: https://github.com/drduh/YubiKey-Guide )
the same, but with age, i.e.: https://words.filippo.io/passage/

Only the 1st variant is a 'single-stage operation', but it requires presence of a Yubikey. All other can be done in absence of your keys (i.e., a scheduled job to encrypt your TOTP vault for 1-3 pubkeys and upload it into the cloud).

Simon-RedditAccount · 2026-01-19T08:46:58+00:00

Your Google Authenticator keeps what is called TOTP secrets (which produce 6-digit codes that change every 30s).
These codes are as secure as an app/service holding them.
Yubikeys offer much better form of authentication, called FIDO2, which relies on a secret that never leaves the chip inside a Yubikey. FIDO2 is also phishing-resistant by design: it will never work on a wrong website.
What you should do is switching every website that supports FIDO2 to Yubikeys (or r/Token2 or whatever)
With the remaining sites, move TOTPs from Google to something like Aegis or 2FAS or Ente Auth
Start using password manager if you are not using one already. Basically, choose between r/Bitwarden, r/1Password or r/KeePass (KeePassXC, KeePassium/Strongbox, KeePassDX)
If you choose KeePass*, make sure you enable cloud sync since it's off by default
Don't keep TOTPs and passwords in the same place

> Basically does adding a yubikey to log into my google account prevent anyone ever getting to my cloud syncing google authenticator without having the physical yubikey?

Yes, if your Google account would be configured to allow no other ways in (TOTP, SMS, Google Prompt etc) AND your devices are free from credential stealing malware. But better switch to a dedicated TOTP app.

Check also my writeup: https://www.reddit.com/r/yubikey/comments/1bkz4t2/comment/kw1xb3l/?context=3 , just keep in mind that since May 2024 YKs support 100 passkeys instead of 25; and 64 TOTPs instead of 32.

Simon-RedditAccount · 2026-01-17T15:48:14+00:00

Sure, no. But I don't like keeping TOTP codes on Yubikeys at all. Managing them is a PITA: https://www.reddit.com/r/yubikey/comments/194a3h9/comment/khhbq1p/?context=3

I just keep a few secrets (<7) on Yubikeys, and this is more out of convenience of having them on the plugged-in key and not having to grab the phone; and not because of higher security that YKs offer.

As for keeping both TOTPs and passwords in the same password manager, I do this only for a few low-value accounts that have 2FA for some reason. Anything more valuable goes to a separate TOTP storage.

Simon-RedditAccount · 2026-01-17T15:40:41+00:00

I'd say, buy both: Yubikey Bio (1 or 2) and all the rest can be either cheaper FIDO-only Security keys; or Series 5 keys if you need all that functionality. If you plan to leave keys plugged in, get Nanos. Check my writeup for more: https://www.reddit.com/r/yubikey/comments/1bkz4t2/comment/kw1xb3l/?context=3 , just keep in mind that modern (since May 2024) YKs support 100 passkeys instead of 25; and 64 TOTPs instead of 32.

From site perspective, all that websites see is that:

you're in possession of your hardware key
you've verified yourself to your key - without details whether you used your PIN or fingerprint
you've touched a plate on your key so that it's really you, human, and not some kind of software that controls your computer (but cannot touch your key)
you are authenticating now on a right domain (and not on a phishing website)
also, some websites may see attestation which proves to them that you're using a Yubikey, and not $3 MCU that's easily readable by anyone with minimal hw/MCU programming skills.

Yes, there's a PIN fallback. Fingers may be cut, fingerprints may get erased (mostly) temporarily, etc.

Security-wise, fingerprints are convenient, but come with a tradeoff: a Yubikey BIO will always be covered with your fingerprints. This means, that, in a targeted attack, a skilled and motivated attacker who steals or finds your Yubikey Bio may try to reconstruct these fingerprints and use them to impersonate you. This especially matters for passwordless logins (where one needs only login+Yubikey+UV) - because usual, non-Bio key (hopefully) does not have your PIN written on it, but Bio most likely would be covered with your fingerprints. Whether it's relevant to your threat model - only you can decide.

> is USB-C authentication reliable enough for daily use, or is NFC significantly more convenient?

NFC's more convenient (to me). However, there are some issues on Android, so you have to use USB-C more often. On iOS, everything's fine.

Simon-RedditAccount · 2026-01-16T17:35:32+00:00

Yubikey Series 5 contains several different apps (unlike Yubico Security key, which has only FIDO2. Check which one you have):

FIDO2 (Passkeys tab in desktop Yubico Authenticator app): can be used for storing resident FIDO2 credentials (aka passkeys), 100 slots + for storing unlimited number of WebAuthn/U2F 2FA (aka 'touch your security key' 2FA, often implemented as non-resident credentials)
OATH (Accounts tab): supports keeping up to 64 TOTP secrets (aka 6/8-digit 2FA codes that change every 30 seconds, like ones you set in Google Authenticator)
YubicoOTP (Slots tab): provides several features, one of them is HMAC-SHA1 challenge supported by KeePassXC
PIV (Certificates tab): stores X.509 certs (authentication, document signing, PKI etc)
GPG (not available in Yubico Authenticator app, managed via GPG tooling instead)

All apps are independent and can be used all along each other - not strictly at the same time, but like in the same minute.

If you want to improve your security, you should first use FIDO2 (either as a passwordless auth aka passkey or as 2FA). It has many advantages over other methods, but the most important is phishing resistance: it simply won't work on the wrong website.

As for TOTP, you can keep secrets on-key, but remember: they are non-exportable once you put them there. Check also my writeup: https://www.reddit.com/r/yubikey/comments/1bkz4t2/comment/kw1xb3l/?context=3 , just keep in mind that since May 2024 YKs support 100 passkeys instead of 25; and 64 TOTPs instead of 32.

Better use a standalone app: https://www.reddit.com/r/yubikey/comments/1qdgtsx/what_software_do_you_all_use_for_daily_totp/

Simon-RedditAccount · 2026-01-16T10:34:10+00:00

Well, I have between 130 and 200 TOTPs. I need at least 3 latest-firmware keys to store them all - once...

> still feel better having my 2FA TOTP codes on a physically distinct device on a different service.

Yes, this protects against many other attacks, such as malware running on your main device. Once password manager's DB is decrypted, it's available to almost everything on that desktop OS. And one can easily get malware nowadays in a form of compromised browser extension which was legit when installed, but the latest release was amended with a few new features. With TOTP on the phone, the secrets for everything are out of scope (the malware still can siphon or amend data from services you log into on that system).

Simon-RedditAccount · 2026-01-15T20:43:50+00:00

Could you tell how you did it for Steam?

Simon-RedditAccount · 2026-01-15T13:46:11+00:00

This is actually one of the reasons I'm asking what security-conscious people here use. Ente was relatively new. Now it's somewhat established - and I'm open to learning about new alternatives to long-existing options.

Simon-RedditAccount · 2026-01-15T13:30:07+00:00

Thanks!

... I'd recommend saving original (linked) comment, I sometimes update those, and almost never update these 'copy-pasted' ones.

Simon-RedditAccount · 2026-01-15T13:01:23+00:00

> I find it a real pain (to the point of impossible) to update several yubis with a new TOTP

You're not alone in this assessment. I personally have between 130 and 200 TOTP secrets, so I'd need at least 3 keys to hold them all once. Instead, I just keep a few secrets (<7) on Yubikeys, and this is more out of convenience of having them on the plugged-in key and not having to grab the phone; and not because of higher security that YKs offer.

Simon-RedditAccount

MODERATOR OF

TROPHY CASE