Physical Keys (YubiKey, etc)

By jnelsoninjax
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

adrynalyne

Posted
Posted (edited)
  On 30/04/2021 at 13:52, jnelsoninjax said:

Is there any difference in the physical keys made by Google or YubiKey, etc? Do they all function the same way?

Expand  

They might provide some overlap features, but no. Google’s key is more limited (not talking about connectivity), and the last I checked, just as expensive as Yubikey. Plus I don’t trust Google with something like that. 

Grand Master

jnelsoninjax

Posted
  • Author
Posted
  On 30/04/2021 at 14:11, adrynalyne said:

They might provide some overlap features, but no. Google’s key is more limited (not talking about connectivity), and the last I checked, just as expensive as Yubikey. Plus I don’t trust Google with something like that. 

Expand  

How about Solokeys? They are billing themselves as open source. Paging @BudMancan I get your insight?

Grand Master

adrynalyne

Posted
Posted (edited)
  On 30/04/2021 at 14:13, jnelsoninjax said:

How about Solokeys? They are billing themselves as open source.

Expand  

I don’t know enough about them to say either way. 
 

I guess I should clarify my last comment. Yubikey has different types of keys. Their full-featured one has more features. Their FIDO/2 keys are more comparable to what Google and Solokey offers. AFAIK, Yubikey firmware also offers some open source, but I don’t know to what extent. 
 

 

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

What is your planned use for whatever key you might happen to get?

 

I have a hard time justify their use for most things to be honest.  What is the scenario that you will use it?  To auth to some site on your phone or your phone itself even - so your really going to carry this key with you, along with your phone?  And pop it out every time you need to do xyz?

 

Are you going to use it to log into your computer - in your house?  Really?  Or you going to just leave it plugged into your PC all the time?

 

Now if you were going to use it say access your bank website that you only access on rare occasions, or maybe to access your crypto exchange account.

 

Don't get me wrong - they do have their use for sure.. But without the scenarios you plan on using it..

 

Keeping in mind that all security is always going to be something extra that has to be done.. The more "extra" that thing is - the less likely it will ever be used.  Or will be circumvented for ease of use that defeats the whole purpose.

 

Give you a perfect example of this in a work environment, with IT professionals.. So to login to the laptops you needed tiks card, got specific certs on it, etc. Because the laptop drive is encrypted.  What your suppose to do is carry said card in your wallet.  And place into the laptop when your using it, then say when you go home and putting the laptop in your bag where it might be stolen.. Or really even say you were going out for a business lunch or something and leaving your laptop at the desk.  The card should go with you.. 

 

Guess what happens.. Users just left the card in their laptops 24/7 - shoot they even cut off the end of the card so it didn't stick out so they could just slide it into their bags when leaving.  So they leave said laptop bag in their car, and it gets stolen, or leave it in the uber or bus.. The whole point of the 2fa auth token is defeated because it was "too much" effort to take it in and out ;)

 

So I ask - what is the scenario of use?  Are you going to put the key in a safe place - and only use it to access your crypo/bank account which is something you don't do every day?  Or you plan on using it to auth to say neowin ;)  Which you do every day, or multiple times a day.. So the thing ends up sticking out the usb port of your PC 24/7/365 ;)

 

My 2fa is my phone.. I have it with my 24/7/365 - other than when sleeping (right next to me) or taking a shower - again most likely on the sink in the bathroom with me..  What are you going to do with this key?  Are you going to carry it with you on a chain around your neck.. And put it into a device, and take it out the device every time you need to auth?

Grand Master

adrynalyne

Posted
Posted (edited)
  On 30/04/2021 at 19:08, BudMan said:

What is your planned use for whatever key you might happen to get?

 

I have a hard time justify their use for most things to be honest.  What is the scenario that you will use it?  To auth to some site on your phone or your phone itself even - so your really going to carry this key with you, along with your phone?  And pop it out every time you need to do xyz?

 

Are you going to use it to log into your computer - in your house?  Really?  Or you going to just leave it plugged into your PC all the time?

 

Now if you were going to use it say access your bank website that you only access on rare occasions, or maybe to access your crypto exchange account.

 

Don't get me wrong - they do have their use for sure.. But without the scenarios you plan on using it..

 

Keeping in mind that all security is always going to be something extra that has to be done.. The more "extra" that thing is - the less likely it will ever be used.  Or will be circumvented for ease of use that defeats the whole purpose.

 

Give you a perfect example of this in a work environment, with IT professionals.. So to login to the laptops you needed tiks card, got specific certs on it, etc. Because the laptop drive is encrypted.  What your suppose to do is carry said card in your wallet.  And place into the laptop when your using it, then say when you go home and putting the laptop in your bag where it might be stolen.. Or really even say you were going out for a business lunch or something and leaving your laptop at the desk.  The card should go with you.. 

 

Guess what happens.. Users just left the card in their laptops 24/7 - shoot they even cut off the end of the card so it didn't stick out so they could just slide it into their bags when leaving.  So they leave said laptop bag in their car, and it gets stolen, or leave it in the uber or bus.. The whole point of the 2fa auth token is defeated because it was "too much" effort to take it in and out ;)

 

So I ask - what is the scenario of use?  Are you going to put the key in a safe place - and only use it to access your crypo/bank account which is something you don't do every day?  Or you plan on using it to auth to say neowin ;)  Which you do every day, or multiple times a day.. So the thing ends up sticking out the usb port of your PC 24/7/365 ;)

 

My 2fa is my phone.. I have it with my 24/7/365 - other than when sleeping (right next to me) or taking a shower - again most likely on the sink in the bathroom with me..  What are you going to do with this key?  Are you going to carry it with you on a chain around your neck.. And put it into a device, and take it out the device every time you need to auth?

Expand  

I’m not OP but I will give you my uses for it. 
 

My Yubikey stays with me at all times, on my key chain. I use it where I can, but mostly to add additional protection to LastPass, GitHub repos, and Gmail accounts. I have several keys that are setup for these sites. In addition, I carry my Authenticator info on my keys, so I can install Yubikey Authenticator safely on any machine and if the key isn’t plugged in, the cycling OTPs aren’t present. A FIDO/2 key isn’t going to be as useful to someone like me. 
 


 

 

Grand Master

jnelsoninjax

Posted
  • Author
Posted
  On 30/04/2021 at 19:08, BudMan said:

What is your planned use for whatever key you might happen to get?

 

I have a hard time justify their use for most things to be honest.  What is the scenario that you will use it?  To auth to some site on your phone or your phone itself even - so your really going to carry this key with you, along with your phone?  And pop it out every time you need to do xyz?

 

Are you going to use it to log into your computer - in your house?  Really?  Or you going to just leave it plugged into your PC all the time?

 

Now if you were going to use it say access your bank website that you only access on rare occasions, or maybe to access your crypto exchange account.

 

Don't get me wrong - they do have their use for sure.. But without the scenarios you plan on using it..

 

Keeping in mind that all security is always going to be something extra that has to be done.. The more "extra" that thing is - the less likely it will ever be used.  Or will be circumvented for ease of use that defeats the whole purpose.

 

Give you a perfect example of this in a work environment, with IT professionals.. So to login to the laptops you needed tiks card, got specific certs on it, etc. Because the laptop drive is encrypted.  What your suppose to do is carry said card in your wallet.  And place into the laptop when your using it, then say when you go home and putting the laptop in your bag where it might be stolen.. Or really even say you were going out for a business lunch or something and leaving your laptop at the desk.  The card should go with you.. 

 

Guess what happens.. Users just left the card in their laptops 24/7 - shoot they even cut off the end of the card so it didn't stick out so they could just slide it into their bags when leaving.  So they leave said laptop bag in their car, and it gets stolen, or leave it in the uber or bus.. The whole point of the 2fa auth token is defeated because it was "too much" effort to take it in and out ;)

 

So I ask - what is the scenario of use?  Are you going to put the key in a safe place - and only use it to access your crypo/bank account which is something you don't do every day?  Or you plan on using it to auth to say neowin ;)  Which you do every day, or multiple times a day.. So the thing ends up sticking out the usb port of your PC 24/7/365 ;)

 

My 2fa is my phone.. I have it with my 24/7/365 - other than when sleeping (right next to me) or taking a shower - again most likely on the sink in the bathroom with me..  What are you going to do with this key?  Are you going to carry it with you on a chain around your neck.. And put it into a device, and take it out the device every time you need to auth?

Expand  

Honestly I was just asking because I read an article on Gizmodo that suggested that we should be using them as opposed to the cell phone, so I am not sure that I am going to buy any, it was mainly just a question for my own information.

Grand Master

Yusuf M. Veteran

Posted
  • Veteran
Posted
  On 30/04/2021 at 20:04, jnelsoninjax said:

Honestly I was just asking because I read an article on Gizmodo that suggested that we should be using them as opposed to the cell phone, so I am not sure that I am going to buy any, it was mainly just a question for my own information.

Expand  

It's great for security and arguably the best in terms of what's generally available. The thing is, it's overkill for the vast majority of typical use cases. Online banking and cryptocurrency exchange accounts come to mind but so few banks even offer 2FA, let alone support for physical security keys. Personally, I'd only use it for cryptocurrency stuff. In most cases, using an authenticator app is good enough.


With that said, I don't think there's anything wrong with using it out of curiosity. SoloKeys seems like a good one because it uses open source firmware.

Grand Master

adrynalyne

Posted
Posted
  On 05/05/2021 at 03:50, Yusuf M. said:

It's great for security and arguably the best in terms of what's generally available. The thing is, it's overkill for the vast majority of typical use cases. Online banking and cryptocurrency exchange accounts come to mind but so few banks even offer 2FA, let alone support for physical security keys. Personally, I'd only use it for cryptocurrency stuff. In most cases, using an authenticator app is good enough.


With that said, I don't think there's anything wrong with using it out of curiosity. SoloKeys seems like a good one because it uses open source firmware.

Expand  

Agreed on it being overkill for a lot of people. I do everything overkill though.

Grand Master

neufuse Veteran

Posted
  • Veteran
Posted
  On 05/05/2021 at 03:50, Yusuf M. said:

It's great for security and arguably the best in terms of what's generally available. The thing is, it's overkill for the vast majority of typical use cases. Online banking and cryptocurrency exchange accounts come to mind but so few banks even offer 2FA, let alone support for physical security keys. Personally, I'd only use it for cryptocurrency stuff. In most cases, using an authenticator app is good enough.


With that said, I don't think there's anything wrong with using it out of curiosity. SoloKeys seems like a good one because it uses open source firmware.

Expand  

few banks offer 2FA? I haven't come across one that didn't in years... even local banks around me that are smaller have it

Grand Master

adrynalyne

Posted
Posted
  On 05/05/2021 at 16:44, neufuse said:

few banks offer 2FA? I haven't come across one that didn't in years... even local banks around me that are smaller have it

Expand  

Yeah but do they offer FIDO/2 ?


OP I think was only looking at these keys. 

Grand Master

neufuse Veteran

Posted
  • Veteran
Posted
  On 05/05/2021 at 16:48, adrynalyne said:

Yeah but do they offer FIDO/2 ?


OP I think was only looking at these keys. 

Expand  

no, but I was replying to this line "but so few banks even offer 2FA, let alone support for physical security keys."

Grand Master

jnelsoninjax

Posted
  • Author
Posted
  On 05/05/2021 at 20:40, neufuse said:

no, but I was replying to this line "but so few banks even offer 2FA, let alone support for physical security keys."

Expand  

My credit union has OTK that they send via SMS whenever you call and talk to them, and 2FA via SMS on the mobile app.

Grand Master

neufuse Veteran

Posted
  • Veteran
Posted
  On 05/05/2021 at 20:48, jnelsoninjax said:

My credit union has OTK that they send via SMS whenever you call and talk to them, and 2FA via SMS on the mobile app.

Expand  

My bank is so secure they wont let you change anything about your account unless you do it at the original branch.... problem for me is the original branch closed  😆 every time I call in for something they want a password and the location I took out my first account at.... which is a bit ridicilous... and to close an account you have to visit the original branch.. maybe that is something to stop you from closing it? lol....

Grand Master

spaceelf

Posted
Posted
  On 30/04/2021 at 13:52, jnelsoninjax said:

Is there any difference in the physical keys made by Google or YubiKey, etc? Do they all function the same way?

Expand  

I have both.  Googles can't be used by default with Windows 10, but it obviously works for websites.  They function similarly but you can set a pin on the Yubikey (and promptly forget whatever the hell it was heh.)

 

Checking if the Yubikey can work for logins now.  I really don't know, but they have some software for it.

Grand Master

ThaCrip

Posted
Posted (edited)

Just a small comment ill add about YubiKey's...

 

those who want to use these basically need two of them at minimum. one for general use and one for a backup stored in a secure location. that helps ensure you won't get locked out of your Google account for example since you register both keys to the account. so even if you lose one, you can always use the backup to sign-in to the Google account, remove the lost key, then you can simply buy another key and register that to the account and you will now have two keys registered once again.

 

p.s. I just have two of the standard/basic YubiKey's. but currently they are a bit pricier than what I paid for mine not all that long ago as for a couple of the basic ones it's $49 now where as I got two at a discount for $30. because for the price I paid it was nice peace of mind, but at $49 I could easily see how some might have second thoughts about using them as at that price it's a little steep. NOTE: YubiKey's work on Linux Mint but not by default. but it's easy enough to get them working as you just copy and paste the text from... https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules to a file (just load up Text Editor(Xed)) named '70-u2f.rules' and save it to "/etc/udev/rules.d/" then reboot. works on Chrome/Firefox (may work on other browsers but I never tested). but I noticed if a person is running their browser in Firejail (sandbox), to sign into ones Google account for example, you got to run the browser normally, sign-in into ones Google account with the YubiKey, then exit the browser, reload it in the Firejail sandbox and you will be fine here since it's using the cookie from previous session.

Edited by ThaCrip
Grand Master

Mindovermaster Global Moderator

Posted
  • Global Moderator
Posted
  On 05/05/2021 at 21:34, neufuse said:

My bank is so secure they wont let you change anything about your account unless you do it at the original branch.... problem for me is the original branch closed  😆 every time I call in for something they want a password and the location I took out my first account at.... which is a bit ridicilous... and to close an account you have to visit the original branch.. maybe that is something to stop you from closing it? lol....

Expand  

I'd move to a new bank, if I were you...

Grand Master

Tantawi

Posted
Posted
  On 05/05/2021 at 21:34, neufuse said:

My bank is so secure they wont let you change anything about your account unless you do it at the original branch.... problem for me is the original branch closed  😆 every time I call in for something they want a password and the location I took out my first account at.... which is a bit ridicilous... and to close an account you have to visit the original branch.. maybe that is something to stop you from closing it? lol....

Expand  

Is your bank located in Egypt? :D that experience is awfully familiar to one I had...

Grand Master

Mindovermaster Global Moderator

Posted
  • Global Moderator
Posted
  On 06/05/2021 at 03:28, adrynalyne said:

Why because it’s secure? 

Expand  

Not saying it's secure, just saying you can't do anything unless you come to the main branch.

 

  On 06/05/2021 at 03:09, neufuse said:

not exactly easy when you have a mortgage there, that's an expensive move

Expand  

Oh, that says a lot...

Grand Master

adrynalyne

Posted
Posted
  On 06/05/2021 at 13:25, neufuse said:

what's a minor inconvenience? moving a mortgage that will cost a few thousand dollars in fees to do? 😂

Expand  

No, not that lol. Going to a branch to change certain info. 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.