It’s pretty terrible that #Apple introduced hardware #Security Keys support (e.g., #YubiKey) for Apple ID six months ago and #Windows users are still locked out if they enable it.
Good news everybody! Through an unscheduled field test I have confirmed that a #yubikey will survive being run over on a road, and that a car key will partially survive, the chip works but the remote lock is kaput.
Is anyone else just a little concerned that the rush towards copyable #passkeys (as against hardware bound such as a #YubiKey) is still a single factor #InfoSec risk? I’m quite happy having a #passkey instead of a password as one factor, so long as I can still add MFA to it, but I’m concerned that this isn’t going to be implemented in most cases.
@gracjan yes! #yubikey or other suitable alternative I like as well. I have one and I use it when I can, despite its physical limitations (mostly, me having to get off my butt).
Interested to see how #passkey will improve or make the situation worse.
Something I really like about my new #YubiKey, specifically using it for signing #Git commits, is that once I unlock it, it stays unlocked until I unplug it (and maybe until I lock the computer, too).
Newbie question: what is best #mfa#authentication method for #offline networks? I am playing around with a lab environment where I want good mfa inside but don’t want it to connect to the internet. My current point of view is: I can not place #Fido there since it „needs“ internet in many ways.. right? . My current way of thinking is i build a PKI into this network and use it with #yubikey acting as a Smartcard but not #u2f or #fido2 . Am I wrong ? Is there better options?
In case it helps someone else: To change the #OpenPGP smartcard PIN on my #YubiKey, gpg --change-pin does NOT work for some reason. Using gpg --card-edit and putting admin and then passwd into the prompt lets me do it though.
I already have a THETIS key, so I'll make that one the designated backup and the #Yubikey the primary.
The main complaint I have, although I understand it's a physical cap, is that I can only add 32 accounts to Yubico Authenticator. I have a lot more than 32 accounts (KeePass says only 42 are set up with TOTP, and I have about 292 known accounts).
Passkeys scare me because they are really just device vendor lock in and can have devastating repercussion if something goes wrong. What if I'm traveling overseas and lose my phone? Do I have to travel with a bunch of passkey recovery keys written a piece of paper? That seems to defeat the whole purpose. I too want all these question answered before I use passkeys.
@grumpygamer
You might be conflating "vendor lock-in" with "only having a single device" but yes your concern is valid. The recommended approach to "what if I have a single passkey and I lose my keychain device" is "have multiple devices".
For example I can log in to my Google account using either my desktop (Windows) or phone (iOS) because I created two keys. But for my bank I would probably only use my two #yubikey sticks.
Vendor lock-in is a real problem but in the case of #passkeys it's pretty easy to get around if you have multiple devices (such as your phone and laptop, or phone and yubikey)
The number of people for whom #encryption and #privacy will be a matter of life or death is increasing and this trend will only continue to intensify.
For the sake of your #safety and that of your loved ones, please prepare now.
This needs to be a pervasive conversation people keep hearing from every direction so they realise this is real and not some paranoid nerds just being weird.
Start refusing to discuss sensitive topics through insecure means. Don't allow people to endanger themselves.
@yubico sells hardware devices that allow you to authenticate with a wide and growing number of services in a far more secure way than through codes texted to you that can be intercepted and re-routed or just malfunction and not arrive. They cost money, but $50 is a low price to put on safety and security in an increasingly digital world.
You can also use a #YubiKey to manage the (typically) 6-digit time-based codes for logins in a more secure and convenient way that doesn't require your phone.
20 years from now when entering a password to log in to a site is as antiquated as sending a fax is now, people are going to read the comments responding to my recent passkey stories and just shake their heads. The number of know-nothings second-guessing the hundreds of engineers who developed WebAuthn is just mind boggling. The edge cases these know nothings use to show why passwords, which they all has spent years hating on, are more secure, are breath taking. History is going to mock these people hard.
Looks like I replied late and didn't read your further comments. So let me just say that I agree with you. Personally I use #yubikey plus PIN or password for my more secure logins.
Finally got my @nitrokey 3C NFC today, and immediately updated firmware to 1.4.0-rc with OpenPGP support. Works like a charm, and having an open firmware I can simply install myself is a huge advantage over the #YubiKey!
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
For a handful of reasons, I now have more #Yubikey devices than I know what to do with. Already have primary/backup/remote backup keys. For various reasons I would be uncomfortable giving them away. Are there any fun projects that a Yubikey could be useful for?
Maybe slot it into a server at home and touch to open SSH for a fixed period? Touch-on-boot to unlock disk encryption? Anyone built something cool here before? Looking for "interesting hobby project" more than "security excellence" :)
It is so nice to finally have my whole company as well as my personal computers on hardware encryption, pgp key enabled, password store behibd pgp key, yubikey based pgp card, and ssh key using my pgp key through yubikey.
Other than being more secure it also means i dont need to backup my ssh keys or password store credentials, its all reproducable from my pgp keys.