My personal use case is mostly logging in to random websites like github, binance, coinbase, possibly steam (but steam seems to do its own thing so if that doesn't work then whatever), maybe also secure my Keepass or something if it supports that.
I've seen the Yubikey, and it looks pretty good (especially with NFC support which, if I understand correctly, would also let me use it on my phone without having to mess with micro USB adapters). Is there a catch or botnet I should be aware of? Are there better, or at least comparable, alternatives?
John Moore
I have 2 yubikeys on my keychain. Use one to open my password manager with a static password it generated when I bought it. Theres more you can do with them though like otp, storing private keys, etc. I use the other one at work to sign commits.
The only alternative I can think of is to buy a smart card but you're gonna have a friendlier experience with a yubikey.
Adrian Martin
Can I ask why two separate ones? From what I've seen you can put a bunch of stuff on one
Joshua Brown
What if you loose it user?
Carson Turner
>that goes on a keychain Won't the USB connector get fucked relatively quickly if you carry it around unprotected in your pocket and everywhere?
Christian Ross
he literally said that one is a static password and the other does OTP
Noah Peterson
it's in pretty rough shape but it works.
i actually have the password it generates in a file on an encrypted drive I keep in a fire/water proof safe at home... Thats the best I can do unless im to pay for a safety deposit box lol.
Blake Reed
And my question is why not put both on one
Adrian Brown
Because that would be too easy user. Remember, you're on Sup Forums.
Nolan Clark
In one of my last contracts as a reverse-engineer, I have examined the NXP secure microcontroller used in the Yubikey NEO.
It's perfectly fine for U2F and I strongly recommend that.
By all means use it to sign things or authenticate.
I would recommend that you generate your keys elsewhere and import them: rather than using it to generate RSA keys, secp256r1, secp256k1 or secp384r1 keys. Research conducted as part of finding ROCA (on the Infineon chipsets) has indicated similar, but possibly not exploitable, properties in the NXP libraries.
Note the ECC routines abuse the hardware RSA multiplier, whose power analysis countermeasures don't operate properly with fields or operands with long runs of 0s and 1s - such as all the NIST (Solinas) primes, or even the curve25519 or curve448 primes. Brainpool would be okay in that context but you're better off staying off that library for generation. Usage, well, always assume the machine you're plugged into can in fact sign arbitrary things with your key. I was not able to exploit it via NFC, there's actually a tiny optoisolator in there which prevented it!
I wish they'd open the hardware, it would make way more sense at this point now that basically all the countermeasure patents have expired.
But for secret storage like U2F, it's completely okay.
Alexander Brooks
Here's mine, it's been on my Keychain for roughly 4 years now, it's been soaking wet a few times too in the rain
Still seems to work fine
Henry Brooks
That's great info, thanks user!
Alright, good to know. Still begs the question as to why not make it like pic related, but if it does hold up to extended use, then fair enough.
Nathaniel Taylor
Why is there no FIDO U2F compatible SmartCard? A card inserted into my laptop seems more convenient and durable than a big USB dongle sticking out of a fragile USB port.
Oliver Lee
Yubikey comes in "nano" versions which barely stick out of the port
Gavin Thomas
I think their biggest customers are enterprise, where it's more important to be cheap
Cooper Bailey
>Alright, good to know. Still begs the question as to why not make it like pic related, but if it does hold up to extended use, then fair enough. my only guess is that it's thin enough you can put it in a wallet, bag, or even a notebook, and have it relatively-well-hidden and physically secure no clue at all, just talking out my ass
Jason Nelson
Can someone explain to a brainlet how you use these? Is it just a hardware copy-paste tool for a password?
Ayden Howard
ur not a brainlet user.
i used to call myself that all the time on here but anons called me out.
Zachary Morris
Pretty sure it just pastes a password into whatever field you have.
At least, thats what it actually does when you press the button.
Source: I have two, and they'll paste the OTP anywhere you have your cursor.
Nathan Perez
IIRC it doesn't paste, it types it out. The thingy identifies itself as a USB keyboard and sends keypresses.
Ian Davis
Hm, NEO or 4? I like the NFC shit but the 4 seems to be more recent in terms of cyphers and certifications. Or are those memes? Also doesn't seem to have "touch-to-sign", although I don't know what that means, since it claims to support OpenPGP so couldn't you just use that to sign?
There are a few things you can do with it, but like the above user said it identifies itself as either a keyboard or a smartcard or whatever and then provides authentication to the PC. My personal primary usecase for this would be using TOTP to basically replace shitty smartphone 2FA apps with a dedicated, accessible device - meaning when I want to sign in to something with 2FA (like github), instead of opening an app on my smartphone, checking the code and typing it in, I'd just have the key plugged in to my PC and it would type in the code automatically.
Nicholas Green
Any of these things on Aliexpress or gearbest? I didn't know they exist
Aaron Ross
Dunno about you but I wouldn't trust chinkshit with my most important accounts. And for unimportant accounts you probably don't even need 2FA desu
