This isn’t strictly a privacy question as a security one, so I’m asking this in the context of individuals, not organizations.

I currently use OTP 2FA everywhere I can, though some services I use support hardware security keys like the Yubikey. Getting a hardware key may be slightly more convenient since I wouldn’t need to type anything in but could just press a button, but there’s added risk with losing the key (I can easily backup OTP configs).

Do any of you use hardware security keys? If so, do you have a good argument in favor or against specific keys? (e.g. Yubikey, Nitrokey, etc)

  • haui@lemmy.giftedmc.com
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    Pretty good idea with the yubikey. If they werent 50 bucks I‘d get one but thats a little much for an optional security device that has this one function. Still neat though.

    • sugar_in_your_tea@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      I’ve got one, but I don’t use it because the main reason I got it (secure my Vanguard account) has a simple SMS backup, so it’s no more secure than SMS… My phone also doesn’t have NFC and the plug is USB-A on the Yubikey, so I can only use it on my desktop unless I carry a dongle around.

      But I think things are better now at other services (and USB-C security keys exist), and I’m planning to redo a lot of my online accounts. I’m also getting a new phone soonish, so NFC will be an option. Just wondering if others find value in using them.

      • haui@lemmy.giftedmc.com
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        Understandable. I‘ve had a recent „near miss“ if you will and since then I thought I might wanna check my security as a whole. So maybe I‘ll end up with that as well.

        Is it possible to use generated keys as a login option on websites btw? I know its usable for ssh and git but i dont know about other sites. If you made one key for each site, they could never leak your password as they dont have it. Would be a ton of work though.

        • sugar_in_your_tea@sh.itjust.worksOP
          link
          fedilink
          arrow-up
          2
          ·
          9 months ago

          That’s essentially what FIDO2 is (the security keys I’m talking about), but instead of public/private key, it’s challenge/response (similar enough security-wise). More and more services support it, but unfortunately the really important ones don’t (financial, government websites, etc). So you’re left with mostly social media and other tech sites.