Stepping up my security game!
This just showed up today!

Isn't it cheaper to make one yourself?

@athlon maybe but not if I want the NFC functionality.

@bhouston well, I'm convinced

@athlon The official once support a wide range of applications (should not sound like an ad):

- OpenPGP Emulation -> Can be used as an SSH-Key if I'm not mistaken

- PKCS#11 Encryption

- HOTP (TOTP only with Software assist) and Yubikey OTP

- U2F / FIDO2 (login by pressing the button)

- Storage of a static password

@sbiewald you are correct about the ssh key.

Need to see how to set that up but I know it is possible.

@bhouston just add the "enable-ssh-socket" option in your config and change the ssh socket env variable. I've been doing that for the last year or so. Watch out on accidental pushing the otp. There's proof of concepts for tracking with it, alot of security concerned people that turn it off because of that.

Yeah I use a pair of yubikeys for ssh auth. They're pretty great.

📌

Nice, I also need to get me those

@xzvf https://devrant.com/rants/1239403/...

Ive been using one eveyday for the last year or so and it’s not that great. Maiy because any person that has pysical access to your laptop, can boot in safe user mode and remove the pem check so it doesnt check it during login.

I think it still doesnt support the latest macos (it doesnt ask for yubikey and password after resuming from lock or sleep). I wouldnt call the installation straightforward for an average user (editing pem files amd escuting shell scripts)

It works for ssh as far as I know, and combines well with lastpass. So its way better than having nothing. But for some iso norms we are still exploring other options.

Ow they break easily especially the non usb-c ones. We had some duing because of a.bit of rain or snapping because they stick out of the laptop so much. They feel cumbersome, id rather see a mini format like the ones you see with wireless mice with a pressable side button

📌

Too bad nitrokey doesn't have NFC :(

@xzvf @ViRaS They never replied to me. Still have it laying somewhere in the original packaging, untouched...

@linuxxx So the yubikey still got delivered.
Did you order the nitrokey then ?

@ViRaS Nope, not enough features for me :/

The NEO only has 2048 bit RSA/PGP, which makes it incompatible with my keyring :( I do use the standard Yubikey 4 and it has USB OTG support with my phone

Nice!
I have a collection of these things. Use them for developing U2F enabled applications.

@jareish many of these points are valid. some aren't imo. I don't use the yubikey OTP. it's not open source, it requires connection to their servers, etc. lame.

however! the PKI and challenge response more than make up for it. I use mine mostly to carry my private keys on me. great for ssh.

anyone who has physical access to your computer, let's be honest, they own it. unless you have full disk encryption and a TPM, you're just done for. if an unauthenticated user can get a login screen, a grub prompt, or anything beyond a drive decryption prompt, physical access is the end for you. no external device, complex password scheme, or 17FA will save you.

(not being elitist. I dont enable full hard drive encryption. but I'm willing to accept that level of risk. I don't like arguments like "not safe because physical access ..." because nothing is safe really under that condition)

@deadPix3l you can implement your own OTP server if you wish.
https://developers.yubico.com/Softw...

@mrgadget wow! thank you! either my search was not good last time I checked (like a year or two ago), or this is new. either way, thx for this!

Aren't you sort of screwed if you lose it, or leave it at home one day (and need it at work?)

@kzisme
You usually set up the key as an addition or alternative only.

For login: Key + PIN or normal password.
For 2FA: (password +) key or TOTP codes or backup codes.

It is certainly not nice to loose them - as one can use them for e.g. SSH, but if you prepare properly, loosing one key is not that bad.

Set a few of my clients up with them. They use them as active directory smart cards and oh man is it awesome.