Physical Keys (YubiKey, etc)

[jnelsoninjax]

Is there any difference in the physical keys made by Google or YubiKey, etc? Do they all function the same way?

[adrynalyne]

18 minutes ago, jnelsoninjax said:

Is there any difference in the physical keys made by Google or YubiKey, etc? Do they all function the same way?

They might provide some overlap features, but no. Google’s key is more limited (not talking about connectivity), and the last I checked, just as expensive as Yubikey. Plus I don’t trust Google with something like that. 

[jnelsoninjax]

3 hours ago, adrynalyne said:

They might provide some overlap features, but no. Google’s key is more limited (not talking about connectivity), and the last I checked, just as expensive as Yubikey. Plus I don’t trust Google with something like that. 

How about Solokeys? They are billing themselves as open source. Paging @BudMancan I get your insight?

[adrynalyne]

9 minutes ago, jnelsoninjax said:

How about Solokeys? They are billing themselves as open source.

I don’t know enough about them to say either way. 
 

I guess I should clarify my last comment. Yubikey has different types of keys. Their full-featured one has more features. Their FIDO/2 keys are more comparable to what Google and Solokey offers. AFAIK, Yubikey firmware also offers some open source, but I don’t know to what extent. 
 

 

[+BudMan MVC]

What is your planned use for whatever key you might happen to get?

 

I have a hard time justify their use for most things to be honest.  What is the scenario that you will use it?  To auth to some site on your phone or your phone itself even - so your really going to carry this key with you, along with your phone?  And pop it out every time you need to do xyz?

 

Are you going to use it to log into your computer - in your house?  Really?  Or you going to just leave it plugged into your PC all the time?

 

Now if you were going to use it say access your bank website that you only access on rare occasions, or maybe to access your crypto exchange account.

 

Don't get me wrong - they do have their use for sure.. But without the scenarios you plan on using it..

 

Keeping in mind that all security is always going to be something extra that has to be done.. The more "extra" that thing is - the less likely it will ever be used.  Or will be circumvented for ease of use that defeats the whole purpose.

 

Give you a perfect example of this in a work environment, with IT professionals.. So to login to the laptops you needed tiks card, got specific certs on it, etc. Because the laptop drive is encrypted.  What your suppose to do is carry said card in your wallet.  And place into the laptop when your using it, then say when you go home and putting the laptop in your bag where it might be stolen.. Or really even say you were going out for a business lunch or something and leaving your laptop at the desk.  The card should go with you.. 

 

Guess what happens.. Users just left the card in their laptops 24/7 - shoot they even cut off the end of the card so it didn't stick out so they could just slide it into their bags when leaving.  So they leave said laptop bag in their car, and it gets stolen, or leave it in the uber or bus.. The whole point of the 2fa auth token is defeated because it was "too much" effort to take it in and out

 

So I ask - what is the scenario of use?  Are you going to put the key in a safe place - and only use it to access your crypo/bank account which is something you don't do every day?  Or you plan on using it to auth to say neowin   Which you do every day, or multiple times a day.. So the thing ends up sticking out the usb port of your PC 24/7/365

 

My 2fa is my phone.. I have it with my 24/7/365 - other than when sleeping (right next to me) or taking a shower - again most likely on the sink in the bathroom with me..  What are you going to do with this key?  Are you going to carry it with you on a chain around your neck.. And put it into a device, and take it out the device every time you need to auth?

[adrynalyne]

30 minutes ago, BudMan said:

What is your planned use for whatever key you might happen to get?

 

I have a hard time justify their use for most things to be honest.  What is the scenario that you will use it?  To auth to some site on your phone or your phone itself even - so your really going to carry this key with you, along with your phone?  And pop it out every time you need to do xyz?

 

Are you going to use it to log into your computer - in your house?  Really?  Or you going to just leave it plugged into your PC all the time?

 

Now if you were going to use it say access your bank website that you only access on rare occasions, or maybe to access your crypto exchange account.

 

Don't get me wrong - they do have their use for sure.. But without the scenarios you plan on using it..

 

Keeping in mind that all security is always going to be something extra that has to be done.. The more "extra" that thing is - the less likely it will ever be used.  Or will be circumvented for ease of use that defeats the whole purpose.

 

Give you a perfect example of this in a work environment, with IT professionals.. So to login to the laptops you needed tiks card, got specific certs on it, etc. Because the laptop drive is encrypted.  What your suppose to do is carry said card in your wallet.  And place into the laptop when your using it, then say when you go home and putting the laptop in your bag where it might be stolen.. Or really even say you were going out for a business lunch or something and leaving your laptop at the desk.  The card should go with you.. 

 

Guess what happens.. Users just left the card in their laptops 24/7 - shoot they even cut off the end of the card so it didn't stick out so they could just slide it into their bags when leaving.  So they leave said laptop bag in their car, and it gets stolen, or leave it in the uber or bus.. The whole point of the 2fa auth token is defeated because it was "too much" effort to take it in and out

 

So I ask - what is the scenario of use?  Are you going to put the key in a safe place - and only use it to access your crypo/bank account which is something you don't do every day?  Or you plan on using it to auth to say neowin   Which you do every day, or multiple times a day.. So the thing ends up sticking out the usb port of your PC 24/7/365

 

My 2fa is my phone.. I have it with my 24/7/365 - other than when sleeping (right next to me) or taking a shower - again most likely on the sink in the bathroom with me..  What are you going to do with this key?  Are you going to carry it with you on a chain around your neck.. And put it into a device, and take it out the device every time you need to auth?

I’m not OP but I will give you my uses for it. 
 

My Yubikey stays with me at all times, on my key chain. I use it where I can, but mostly to add additional protection to LastPass, GitHub repos, and Gmail accounts. I have several keys that are setup for these sites. In addition, I carry my Authenticator info on my keys, so I can install Yubikey Authenticator safely on any machine and if the key isn’t plugged in, the cycling OTPs aren’t present. A FIDO/2 key isn’t going to be as useful to someone like me. 
 

 

 

[jnelsoninjax]

55 minutes ago, BudMan said:

What is your planned use for whatever key you might happen to get?

 

I have a hard time justify their use for most things to be honest.  What is the scenario that you will use it?  To auth to some site on your phone or your phone itself even - so your really going to carry this key with you, along with your phone?  And pop it out every time you need to do xyz?

 

Are you going to use it to log into your computer - in your house?  Really?  Or you going to just leave it plugged into your PC all the time?

 

Now if you were going to use it say access your bank website that you only access on rare occasions, or maybe to access your crypto exchange account.

 

Don't get me wrong - they do have their use for sure.. But without the scenarios you plan on using it..

 

Keeping in mind that all security is always going to be something extra that has to be done.. The more "extra" that thing is - the less likely it will ever be used.  Or will be circumvented for ease of use that defeats the whole purpose.

 

Give you a perfect example of this in a work environment, with IT professionals.. So to login to the laptops you needed tiks card, got specific certs on it, etc. Because the laptop drive is encrypted.  What your suppose to do is carry said card in your wallet.  And place into the laptop when your using it, then say when you go home and putting the laptop in your bag where it might be stolen.. Or really even say you were going out for a business lunch or something and leaving your laptop at the desk.  The card should go with you.. 

 

Guess what happens.. Users just left the card in their laptops 24/7 - shoot they even cut off the end of the card so it didn't stick out so they could just slide it into their bags when leaving.  So they leave said laptop bag in their car, and it gets stolen, or leave it in the uber or bus.. The whole point of the 2fa auth token is defeated because it was "too much" effort to take it in and out

 

So I ask - what is the scenario of use?  Are you going to put the key in a safe place - and only use it to access your crypo/bank account which is something you don't do every day?  Or you plan on using it to auth to say neowin   Which you do every day, or multiple times a day.. So the thing ends up sticking out the usb port of your PC 24/7/365

 

My 2fa is my phone.. I have it with my 24/7/365 - other than when sleeping (right next to me) or taking a shower - again most likely on the sink in the bathroom with me..  What are you going to do with this key?  Are you going to carry it with you on a chain around your neck.. And put it into a device, and take it out the device every time you need to auth?

Honestly I was just asking because I read an article on Gizmodo that suggested that we should be using them as opposed to the cell phone, so I am not sure that I am going to buy any, it was mainly just a question for my own information.

[Yusuf M. Veteran]

On 30/04/2021 at 16:04, jnelsoninjax said:

Honestly I was just asking because I read an article on Gizmodo that suggested that we should be using them as opposed to the cell phone, so I am not sure that I am going to buy any, it was mainly just a question for my own information.

It's great for security and arguably the best in terms of what's generally available. The thing is, it's overkill for the vast majority of typical use cases. Online banking and cryptocurrency exchange accounts come to mind but so few banks even offer 2FA, let alone support for physical security keys. Personally, I'd only use it for cryptocurrency stuff. In most cases, using an authenticator app is good enough.

With that said, I don't think there's anything wrong with using it out of curiosity. SoloKeys seems like a good one because it uses open source firmware.

[adrynalyne]

12 hours ago, Yusuf M. said:

It's great for security and arguably the best in terms of what's generally available. The thing is, it's overkill for the vast majority of typical use cases. Online banking and cryptocurrency exchange accounts come to mind but so few banks even offer 2FA, let alone support for physical security keys. Personally, I'd only use it for cryptocurrency stuff. In most cases, using an authenticator app is good enough.

With that said, I don't think there's anything wrong with using it out of curiosity. SoloKeys seems like a good one because it uses open source firmware.

Agreed on it being overkill for a lot of people. I do everything overkill though.

[neufuse Veteran]

12 hours ago, Yusuf M. said:

It's great for security and arguably the best in terms of what's generally available. The thing is, it's overkill for the vast majority of typical use cases. Online banking and cryptocurrency exchange accounts come to mind but so few banks even offer 2FA, let alone support for physical security keys. Personally, I'd only use it for cryptocurrency stuff. In most cases, using an authenticator app is good enough.

With that said, I don't think there's anything wrong with using it out of curiosity. SoloKeys seems like a good one because it uses open source firmware.

few banks offer 2FA? I haven't come across one that didn't in years... even local banks around me that are smaller have it

[adrynalyne]

2 minutes ago, neufuse said:

few banks offer 2FA? I haven't come across one that didn't in years... even local banks around me that are smaller have it

Yeah but do they offer FIDO/2 ?

OP I think was only looking at these keys. 

[neufuse Veteran]

3 hours ago, adrynalyne said:

Yeah but do they offer FIDO/2 ?

OP I think was only looking at these keys. 

no, but I was replying to this line "but so few banks even offer 2FA, let alone support for physical security keys."

[jnelsoninjax]

6 minutes ago, neufuse said:

no, but I was replying to this line "but so few banks even offer 2FA, let alone support for physical security keys."

My credit union has OTK that they send via SMS whenever you call and talk to them, and 2FA via SMS on the mobile app.

[neufuse Veteran]

45 minutes ago, jnelsoninjax said:

My credit union has OTK that they send via SMS whenever you call and talk to them, and 2FA via SMS on the mobile app.

My bank is so secure they wont let you change anything about your account unless you do it at the original branch.... problem for me is the original branch closed  😆 every time I call in for something they want a password and the location I took out my first account at.... which is a bit ridicilous... and to close an account you have to visit the original branch.. maybe that is something to stop you from closing it? lol....

[spaceelf]

On 30/04/2021 at 08:52, jnelsoninjax said:

Is there any difference in the physical keys made by Google or YubiKey, etc? Do they all function the same way?

I have both.  Googles can't be used by default with Windows 10, but it obviously works for websites.  They function similarly but you can set a pin on the Yubikey (and promptly forget whatever the hell it was heh.)

 

Checking if the Yubikey can work for logins now.  I really don't know, but they have some software for it.

[inactive]

Just a small comment ill add about YubiKey's...

 

those who want to use these basically need two of them at minimum. one for general use and one for a backup stored in a secure location. that helps ensure you won't get locked out of your Google account for example since you register both keys to the account. so even if you lose one, you can always use the backup to sign-in to the Google account, remove the lost key, then you can simply buy another key and register that to the account and you will now have two keys registered once again.

 

p.s. I just have two of the standard/basic YubiKey's. but currently they are a bit pricier than what I paid for mine not all that long ago as for a couple of the basic ones it's $49 now where as I got two at a discount for $30. because for the price I paid it was nice peace of mind, but at $49 I could easily see how some might have second thoughts about using them as at that price it's a little steep. NOTE: YubiKey's work on Linux Mint but not by default. but it's easy enough to get them working as you just copy and paste the text from... https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules to a file (just load up Text Editor(Xed)) named '70-u2f.rules' and save it to "/etc/udev/rules.d/" then reboot. works on Chrome/Firefox (may work on other browsers but I never tested). but I noticed if a person is running their browser in Firejail (sandbox), to sign into ones Google account for example, you got to run the browser normally, sign-in into ones Google account with the YubiKey, then exit the browser, reload it in the Firejail sandbox and you will be fine here since it's using the cookie from previous session.

Edited May 5, 2021 by ThaCrip

[Mindovermaster Global Moderator]

49 minutes ago, neufuse said:

My bank is so secure they wont let you change anything about your account unless you do it at the original branch.... problem for me is the original branch closed  😆 every time I call in for something they want a password and the location I took out my first account at.... which is a bit ridicilous... and to close an account you have to visit the original branch.. maybe that is something to stop you from closing it? lol....

I'd move to a new bank, if I were you...

[+Tantawi Subscriber²]

2 hours ago, neufuse said:

My bank is so secure they wont let you change anything about your account unless you do it at the original branch.... problem for me is the original branch closed  😆 every time I call in for something they want a password and the location I took out my first account at.... which is a bit ridicilous... and to close an account you have to visit the original branch.. maybe that is something to stop you from closing it? lol....

Is your bank located in Egypt?  that experience is awfully familiar to one I had...

[Mindovermaster Global Moderator]

7 minutes ago, Tantawi said:

Is your bank located in Egypt?  that experience is awfully familiar to one I had...

Mine wasn't THAT picky...

[neufuse Veteran]

4 hours ago, Mindovermaster said:

I'd move to a new bank, if I were you...

not exactly easy when you have a mortgage there, that's an expensive move

[adrynalyne]

5 hours ago, Mindovermaster said:

I'd move to a new bank, if I were you...

Why because it’s secure? 

[Mindovermaster Global Moderator]

Just now, adrynalyne said:

Why because it’s secure? 

Not saying it's secure, just saying you can't do anything unless you come to the main branch.

 

21 minutes ago, neufuse said:

not exactly easy when you have a mortgage there, that's an expensive move

Oh, that says a lot...

[adrynalyne]

2 minutes ago, Mindovermaster said:

Not saying it's secure, just saying you can't do anything unless you come to the main branch.

 

Oh, that says a lot...

Minor inconvenience. 

[neufuse Veteran]

9 hours ago, adrynalyne said:

Minor inconvenience. 

what's a minor inconvenience? moving a mortgage that will cost a few thousand dollars in fees to do? 😂

[adrynalyne]

1 hour ago, neufuse said:

what's a minor inconvenience? moving a mortgage that will cost a few thousand dollars in fees to do? 😂

No, not that lol. Going to a branch to change certain info.