I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
@Scraft161 Hello there! I've reviewed security keys for years.
First thing you might consider is whether you want a boatload of features or just U2F/WebAuthn support. The Yubico Security Key and similar devices are very affordable but do only the basics. The YubiKey 5 Series has many more features, but is significantly more expensive.
The second thing to think about is whether you require open-source hardware/firmware or not. Nitrokey and SoloKey both tout their open-source roots, while Yubico keeps things mostly closed.
I've tested dozens of these things and they all work equally well. Yubico's build quality and sheer number of features in the 5 series makes it my go-to, but it's hard to go wrong here sticking with known brands.
When I did some research on hardware keys I was between Yubikey and Nitrokey. I ended up going with Yubikey because KeepassXC supported it.
Something to keep in mind is purchasing a backup key. I bought one for my wife and we use each other’s as a backup.
For KeepassXC it does not support registering multiple keys (at least not that I have figured out), so I have a copy of my database where it uses my wife’s key as a backup.
Yubikey and OnlyKey are the only hardware keys that work with keepassxc. So if that’s a requirement for you, then those are your only options. This is true for me as well.
They cover this in their docs and faq page: keepassxc.org/docs/#faq-yubikey-2fa. OnlyKey is an unknown to me while I’ve heard of Yubikey for years.
@Scraft161 I've honestly tested almost all of the ones on the market and even made some of my own. There is a huge reason I am still a fan of Yubikey to the point I am affiliated as well as an ambassador for them for a couple years.
I've tried Tillitis, used Ledger and Trezor as keys, made my own as mentioned, even used a flipper zero, and others. Yubico hands down has the best all around value:feature ratio. Just always grab at least two so you can always have a backup
@Scraft161 the main thing to know is that you will always want to make sure to register at least two keys to everything, once you lose your keys you lose access. This is important for a backup. I have around 12 Yubikeys total between work and personal.
Yubikey holds up to 32 TOTP codes as well. Unlimited FIDO/U2F though and you can use it for SSH and PGP among other things too
I personally just have 3 u2f keys from different brands, one of them is a yubikey, but I only use the u2f functionality. I have read enough about the u2f standard to trust it, but the other fluff on some keys I don’t trust enoug in to use on my accounts, and the basic u2f functionality works perfectly on Linux (I even use it for my Linux login) and basically everywhere
I keep one on my keychain(it has an USBA port, but I keep a female a to male c converter on it as cap so I can use it on my phone), another that has password protection instead of a single button lives on a port on my desktop and the third I keep stored, it is more annoying to set up all of them on a new account, but I know I won’t loose access or have to recover my accounts if I loose my keychain.
And for sites that don’t support u2f I use Aegis for TOTP which would also be my recommendation, that way if your KeePassXC database is compromised your second factor is safe, and you can also have automatic encrypted backups of your Aegis dB synchronised across devices so you don’t loose them
And if you are going to be setting up keys on multiple sites don’t forget to update or generate your single use recovery codes and store the safely, preferably on paper not digitally.
I personally print mine on regular printer paper on sections about the size of a library card and then I spread some UV curing resin until it soaks through, then I clean the excess and leave them on the sun for about 2 hours (most printer paper has optical brightener that makes the resin much slower to cure). I then cut the individual segments and store them on my safe
It may be paranoid, but it’s extra work just when creating an account, and I started doing it after I permanently lost access to a trading account because of a lost key and a faded recovery code, thankfully it had no balance stored there at the time
Onlykey. It’s u2f. And has up to 12 or 24 depending on how you setup username password combinations. It’s got a physical pin required and you can set what happens on 6 failed attempts. Like nuke it’s own firmware and (quantum proof encrypted alg) password and keystore. It requires no software on machine (after setup) so you can use it on machines you don’t own and don’t need to install middleware (I’m looking at you nitrokey) If you use Linux you can use it as a ssh private key and login method requiring challenge response (via its pin pad) (windows support for it is middleware to do this is …not easy). It’s a true one way write… you add a password in all you can do is overwrite never read from it. onlykey.io. Ive been using it my corporate IT day to day for 3 years.
For many TOTP may be a good option; but my experience with TOTP has been less than subpar.
Initially I did use TOTP like you're supposed to; but after my last phone died I had to set up TOTP on the accounts that used it after getting into them without it using backup codes.
This lead me to put the TOTP stuff inside my KeePass vault (as KeePassXC supports TOTP) which is backed up (unlike most TOTP solutions I've used).
The problem now is that my 2FA keys are stored in the same location as my passwords... (not that I'm worried about someone breaking the vault; but this is not how 2FA is supposed to work).
Additionally I have some other issues with TOTP that make it far from ideal for me and hardware keys seem to be a good fit to solve my issues with TOTP.
Thanks for this, I’ve actually been seriously considering a microchip implant for a while, is it open source? I don’t want proprietary code inside me if I can help it.
I’ve had a magnet embedded in my pinky for about 7 years now. It’s wild fun having an extra sense, I’ve actually been planning its replacement as it’s gotten much weaker the last year or so. Neodymium magnets do eventually lose their charge, and heat causes it to happen faster.
It runs JavaCard OS, which is developed by Oracle and not open source. Even though it also runs JavaCard OS, I’d recommend the flexSecure JavaCard from Dangerous Things (for the same price as the Apex Flex), because all of its applets are open source: https://dangerousthings.com/product/flexsecure/. It isn’t quite as “seamless”, because it doesn’t have the closed-source app store available for it that the Apex Flex does, but it instead uses open-source applets that you can load onto it. Regardless, either option will run a closed-source OS, but as far as secure verification goes (by using challenge-response instead of static keys which could be read and copied like old RFID tags), JavaCard is currently the best option. And as far as implantable chips go, the flexSecure JavaCard and the Apex Flex are the 2 best chips on the market to my knowledge.
The silver lining is that there are plenty of open source applets you can run on JavaCards (like the flexSecure ones written by Dangerous Things)
Great answer, I will add that another major difference between the Apex Flex and the FlexSecure is the FlexSecure comes with factory default signing keys (which you can change), while the Apex Flex does not. This means you can’t add your own applets the Apex Flex. Para_lyzed touched on this but I wanted to emphasize that the flexsecure gives you the ability to fully manage the implant while the Apex Flex doesn’t. There are trade-offs of course.
I'm very much looking for a hardware key to avoid biometrics (I can have a field day expressing my opinions on those; but in general they tend to be the weakest MFA factor and most have known working bypasses based on photos).
This leans a little too close to that for me to consider, let alone all of the things you have to consider when putting implants in your body.
Nitrokey would probably be my choice as both the hardware and software are open source( in fact you could probably build your own if you wanted to). I don’t trust yubikey as the firmware that runs on them is closed source so you just don’t know of it’s actually secure.
Yubikey is kinda the gold standard IMO. Yes, I know google has their own titan something but the other one I know that can rival yubikey in terms of support and longevity would be nitrokey. Else I recommend making a poor man’s security key using a keyfile and a flashdrive to secure your keepass database
I use a yubikey (couldn’t chose, it’s from work) and I have no issues with it working out of the box (endevour os). I just touch the “button” and it “types” the key.
I also recommend Nitrokey. I have a Nitrokey Pro 2 and a Nitrokey 3 NFC and they both work well. Linux support is very good, and they also have good documentation on how to do most stuff you might want to do. +1 for being open-source as well.
Nitrokey isn’t fully open source though. The secure element is proprietary. But that’s not their fault, OSS secure elements aren’t a thing yet unfortunately, but some companies wanna bring a change in that
As to why thisisawayoflife recommends these products (over OP’s consideration of Yubico), probably because Solo and Nitro keys are open source hardware and firmware.
Nitro is a German company. Yubico is a Swedish company. I can’t find where SoloKeys is located. However, the OS nature of Solo and Nitro should make that a little less important.
In my research, I’ve found SoloKeys may be a US company. They are headquartered in New Jersey and one Co-founder is in New York City. However, according to their WhoIs data, the domain was registered in Iceland.
While Keepass has the ability to use a Yubikey (or similar) as 2FA (masterpassword is still required), this does not work on the mobile (Android) apps I tried. If you can make it work, please let me know!
Other than that: I got my Yubikey working ok on Linux Mint. But somehow the first login often does not work as expected (you have to touch the key). That is why I don’t use it anymore as 2FA for computer login.
I don't have a key yet (which is why I'm asking) and I definitely want it in combination with passwords (they can take the key using force; but they can't take thoughts out of my head just yet).
As for android apps not working with the yubikey: try giving KeePassDX a shot; I got it from F-Droid and it does give me a hardware key field with the option to autofill with "Yubikey challenge-response".
Add comment