This isn’t strictly a privacy question as a security one, so I’m asking this in the context of individuals, not organizations.

I currently use OTP 2FA everywhere I can, though some services I use support hardware security keys like the Yubikey. Getting a hardware key may be slightly more convenient since I wouldn’t need to type anything in but could just press a button, but there’s added risk with losing the key (I can easily backup OTP configs).

Do any of you use hardware security keys? If so, do you have a good argument in favor or against specific keys? (e.g. Yubikey, Nitrokey, etc)

  • randomperson@lemmy.today
    link
    fedilink
    English
    arrow-up
    10
    ·
    9 months ago

    In my opinion the biggest problem with hardware keys is what happens when you lose them. You have to either provision the keys yourself, putting the secret on your computer. Or you have to buy backup keys and make sure to register both with all your services. You’ll end up using your phone or password manager as a “backup.” And then that backup becomes your primary 2FA.

    • UntitledQuitting@reddthat.com
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      Yeah this is the dichotomy I’m in. I have a yubikey, but obviously can’t afford to have all my eggs in one basket so every account I have the passkey on I also have 2FA setup with 2FAS Auth. Proton finally started storing passkeys tho so I’ll shift to that solution when I find the time.

    • haui@lemmy.giftedmc.com
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      I‘m still working on my setup so your considerations are most helpful. What stands out to me is the option to use an airgapped old crappy laptop to provision the keys. Ideally one with manually disabled modems. That way nobody without physical access should be able to compromise it.

      Also, how can you provision your own hw keys?