Hardware security key options?
I’ve been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.
I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.
As I use linux as my primary OS I do expect it to support it and anything that doesn’t I will have to pass on.
PS: what are the things I need to know about these hardware keys that’s not being talked about too much, I am very much delving into new territory and want to make sure I’m properly educated before I delve in.
@linux @technology@lemmy.ml @technology@lemmy.world @privacy #2FA #MFA #yubikey #InfoSec #CyberSecurity
There’s a Swedish startup named Tilitis making open source, verifiably secure hardware keys, but they’re not well supported at the moment.
Yubikey probably has the widest support for things like password managers and automatic sign in.
Just +1 to Tillitis, they’re doing awesome stuff with FOSS hardware.
Nitrokey would probably be my choice as both the hardware and software are open source( in fact you could probably build your own if you wanted to). I don’t trust yubikey as the firmware that runs on them is closed source so you just don’t know of it’s actually secure.
This. Yubikey is not libre hardware, not sure why they’re so popular. I’d avoid any closed-source hardware for security devices. Its a bad idea.
Yubikey and OnlyKey are the only hardware keys that work with keepassxc. So if that’s a requirement for you, then those are your only options. This is true for me as well.
They cover this in their docs and faq page: https://keepassxc.org/docs/#faq-yubikey-2fa. OnlyKey is an unknown to me while I’ve heard of Yubikey for years.
I’m using yubikeys. Works fine on Linux and Android.
If you’re insane this company makes hardware keys that you can implant under your skin and read via nfc https://dangerousthings.com/product/apex-flex/
(There is also a ring version if for some reason you don’t want to shove a microchip inside you 🫣)
Let’s *NOT* go that route.
I’m very much looking for a hardware key to avoid biometrics (I can have a field day expressing my opinions on those; but in general they tend to be the weakest MFA factor and most have known working bypasses based on photos).
This leans a little too close to that for me to consider, let alone all of the things you have to consider when putting implants in your body.Just wanted to add something different from the other posts, definately not recommending it.
That being said, it is a hardware key. You can set it up as a Fido2 key, making it as secure as any of the other options here, it is not biometrics.
Like I mentioned, you have to be a little crazy to go that route
Thanks for this, I’ve actually been seriously considering a microchip implant for a while, is it open source? I don’t want proprietary code inside me if I can help it.
I’ve had a magnet embedded in my pinky for about 7 years now. It’s wild fun having an extra sense, I’ve actually been planning its replacement as it’s gotten much weaker the last year or so. Neodymium magnets do eventually lose their charge, and heat causes it to happen faster.
I use Yubikey 5 NFC and Canokey Pigeon, both works out of box on Linux.
When I did some research on hardware keys I was between Yubikey and Nitrokey. I ended up going with Yubikey because KeepassXC supported it.
Something to keep in mind is purchasing a backup key. I bought one for my wife and we use each other’s as a backup.
For KeepassXC it does not support registering multiple keys (at least not that I have figured out), so I have a copy of my database where it uses my wife’s key as a backup.
Crazy coincidence that I was just researching hardware keys today. Why go with a hardware key over a free, open source TOTP generator like Aegis?
For many TOTP may be a good option; but my experience with TOTP has been less than subpar.
Initially I did use TOTP like you’re supposed to; but after my last phone died I had to set up TOTP on the accounts that used it *after* getting into them without it using backup codes.
This lead me to put the TOTP stuff inside my KeePass vault (as KeePassXC supports TOTP) which is backed up (unlike most TOTP solutions I’ve used).
The problem now is that my 2FA keys are stored in the same location as my passwords… (not that I’m worried about someone breaking the vault; but this is *not* how 2FA is supposed to work).Additionally I have some other issues with TOTP that make it far from ideal for me and hardware keys seem to be a good fit to solve my issues with TOTP.
On average, Vatican has two popes per square kilometer.
EDIT: My bad, wrong thread.
Yubikey is kinda the gold standard IMO. Yes, I know google has their own titan something ~but the other one I know that can rival yubikey in terms of support and longevity would be nitrokey.~ Else I recommend making a poor man’s security key using a keyfile and a flashdrive to secure your keepass database
Edit: forgot about nitrokey’s overly sensational claims about a backdoor on Qualcomm chips a while back, that kinda stained my view on their company now. Just get a yubikey sure theres no firmware upgrades and whatnot but its good enough for now. Also heard good things about onlykeys
I use a yubikey (couldn’t chose, it’s from work) and I have no issues with it working out of the box (endevour os). I just touch the “button” and it “types” the key.