IT: Hello! This is Roger from IT. We've identified a problem with your Okta access and we need to replace your company Yubikey. We've already mailed you a replacement, return your old Yubikey in the box that will have a return shipping label. Please write down your company email and Yubikey PIN on a sticky note and include it in the box so we can fully remove the old Yubikey from Okta. The delivery is scheduled for today so your work wont be impacted come Monday.
oct-git focuses exclusively on ergonomic use with OpenPGP card-based signing keys
It is designed to be easy to set up, standalone (no long running processes), and entirely hands-off to use (no repeated PIN entry required, by default). It comes with desktop notifications for touch confirmation (if required)
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
I have upgraded two systems to #Ubuntu 24.04 now and also tried #Thunderbird as snap (which is the default for Ubuntu 24.04) on another machine.
The system upgrades were incredibly smooth. Thunderbird in general also works fine, but it doesn't support #GPG with private keys on a #YubiKey yet (which is my usecase). (Yes,there is a workaround, although clunky.)
So it looks like I'll stay on 23.10 a bit longer on my main machine.
My first troublesome hallucination with a #LLM in a while: #Claude3#Opus (200k context) insisting that I can configure my existing #Yubikey#GPG keys to work with PKINIT with #Kerberos and helping me for a couple of hours to try to do so — before realising that GPG keys aren't supported for this use case. Whoops.
No real bother other than some wasted time, but a bit painful and disappointing.
I’m prepping for my credential rollover and setting up the new @yubico 5C NFC keys they sent me as I’m a yubico ambassador and decided to get the @defcon stickers from Keyport to style the new keys I will be swapping to as I’m deprecating USB A. Also got new Keyport covers for backups and to swap out my current ones for a different style.
If you own a modern #YubiKey, you might know that you can use the YubiKey Manager to enable/disable the applications & interfaces it provides.
What you probably didn't know: You can password-protect this setting using the command-line version of the Manager, with the ykman config set-lock-code command.
If you lose that lock code, you can't change the setting anymore, ever.
If it's not yet set, others with physical access to your key could disable everything, set a code and lock you out. 😬
I'm about to buy a new #YubiKey (or maybe even two), and I'm a bit undecided between two models, the 5C (picture 1) and the 5C NFC (picture 2).
Who of you has either of these models, or even both, and can say something about the build quality?
I already own a 5 NFC (picture 3), i.e. with a USB A connector. This thing is rock solid. It's been on my keychain for years and would probably survive another 5 to 10, but picture 4 from a review with "one year on the keyring" made me pause.
Pro:
• stored safely on protected hardware
• secret "cannot" be extracted
• can access TOTP codes from an untrusted device, e.g. if my phone's battery is empty
Con:
• backing up the secrets is "not possible"
• having a second YubiKey for redundancy is recommended, but both need to be present when setting up a new secret (or you need to store a copy of the secret somewhere else)
• only has 32 slots (but I only have 23 TOTPs atm)
Why does #Sharkey / #Misskey need an "authenticator app" registered before you can use a hardware key? That doesn't make sense #security wise.
Yeah I know it's to prevent people from just accidentally getting locked out of their accounts, but there should be an option for #FediAdmins to allow this risk. 🤔
This is more of a security question, but I currently know way more people on ruby.social than infosec.exchange. I want to use a #Yubikey for #SMIME or #GPG signing on #iOS & #iPadOS, but can't find:
Any documentation about how to integrate it with Apple Mail.
Anyplace that offers #x509 certificates for S/MIME at zero or minimal cost the way @letsencrypt offers free #SSL certs.
Self-signed S/MIME certs are a non-starter, and there are no full-featured #OpenPGP apps on iOS. Suggestions?
In light of the news that Authy is discontinuing their desktop app in August of 2024, we want to let everyone know that Tuta supports all major authenticator apps & U2F keys. 🔐
No need to worry about compatibility when making the jump to a new authenticator app.🤹
I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.
PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.
Ich versuche (verzweifelt) meinen Passwortmanager #strongbox gerne auf nem iOS mit nem #Yubikey 5C NFC absichern und brauche dabei etwas Hilfe. Vielen lieben Dank schonmal 🙂
Gerne auch ein Boost