A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 57 users / day
- 383 users / week
- 1.5K users / month
- 5.7K users / 6 months
- 1 subscriber
- 2.43K Posts
- 57.3K Comments
- Modlog
I’m not an expert but the way I see it is this: if you’re tech-savvy and use common sense, they’re not necessary, as a 2FA app with TOTP along with random, strong passwords should be enough. I still use both for most things, only securing more sensitive stuff with a physical key.
However, having one definitely can’t hurt, and if you’re passionate about cybersec, it’d be kinda strange if you didn’t have one.
im preferential of the concept of just using a USB drive, and some basic scripting automation to trigger it.
Thats just me hating anything moderately proprietary though.
How would this work? Is there an open source project available?
i’m honestly not to sure how one would go about it, i know one of my friends has done it. I would assume there is at least one open source project for this type of thing. Realistically i can’t imagine it would be that hard, there are probably writeups on people doing it already. In the most simplistic form you’re keeping spicy private keys on an encrypted flash drive. That way they’re a physical hardware item, but also physically isolated. Though you would absolutely be in a bit of a bind if you ever lost it. Realistically, changing the key and it’s encryption will solve that problem though.
I’ve recently thought of doing similar things using forward secrecy keys stored on the flashdrive itself so that way it’s always different. Similar immediate security risk there, but again changing the key is the solution. Theoretically you could also do a two part key system, where you store a portion of it on your system, and the rest on the drive, so that way in the event of compromise, they only have a portion of the key. And they still need the other part in order to do anything.
scripting wise, it should be pretty simple, you plug in the drive, automount it, rip the key out, stuff it to where it needs to go, and then remove the drive. Always make sure you have secondary backups though, whether written down or stored somewhere. Losing accounts is no fun.
I’m not a security researcher or expert though, there are definitely smarter people out there that have already talked about this kind of thing at length.
I recommend NitroKeys. They are very secure and open-source.
You are better off with an encrypted password store and a 2FA on a phone. You can back up both, easily, and they are both protected with fingerprints and/or global passwords.
Don’t go the fingerprint route if you care about your rights in the US. Biometrics, for some bizarre reason, don’t fall under the fourth amendment.
Last year Cloudflare had some offers to buy Yubikeys at half price. Bought two of them. Using these hardware keys is better than trusting phone to be single failure and getting locked out.
deleted by creator
What I did was to use keepass to store most of TOTP and use Yubikey to unlock it. Absolute critical ones like email is saved directly in Yubikey.
This is not quite the same product but I thought this device looked interesting
https://tillitis.se/
This is pretty slick.
Mostly yubikey users in here so shout out to fully open source SoloKeys.
Solokeys is a completely dead project at the moment.
The last commit in their repos was well-over a year ago and they don’t respond to emails at all. I’d recommend against them for the time being.
removed by mod
I use an OnlyKey and Mooltipass interchangeably. Prefer the lower tech OnlyKey. My passwords are half memorized passphrase and half random characters on the device. Only use for disk encryption, main account, and password manager.
I want to add that you can not only use USB keys as second factors, but also as a password replacement on Linux and Windows. It is extremely convenient to press a button instead of typing a 16 character pw.
removed by mod
I bought a couple of yubikeys but haven’t fully implemented yet. When 1password has full support for using a security key in place of a passphrase, I will consider using them as my primary unlock method.
I have to say that the Google Titan appears to be better bang for your buck than yubikeys. The FIDO2 yubikey is $55 which is pretty pricey considering you will probably want multiple. I’d be really curious if there’s a strong argument against using the Google keys.
removed by mod
So I get very confused over which protocol is which. I think the cheaper keys lack support for OAUTH. Which is required for things like windows login.
removed by mod
Safer to use QubesOS and run keepass in a vault VM
I bought 2 yubikeys. I try to use it for as many accounts as I can but I can only think of a handful who allow yubikeys. I would get them if you want to but a good 2fa should work fine. Most banks and actual important stuff barely have totp 2fa anyways.
I think the best use case will be to use a yubikey with a password manager. That way it doesn’t matter what sites support the security key directly. You could also set up passkeys with the sites so that once you authenticate with your password manager, the login process is transparent. Once more sites support passkeys, anyway.
I suggest having a threat model about what attack(s) your security is protecting against.
I’d suggest this probably isn’t giving much extra security over a long unique password for your password manager:
That said, it might be able to give you more convenience at the expense of slightly less security - particularly if your threat model is entirely around remote attackers - on the convenience/security trade-off. You would touch a button to decrypt instead of entering a long passphrase.
Yubikey bio has a fingerprint reader built into it. Which is very nice. Even if the device you’re using is compromised you will never expose your pin.
The only key also has that advantage.
The current bio model does not support PIV (Smartcard) tho, so it cant be used for PGP/SSH. They recently announced a new revision that can, but its not generally available yet.
https://www.yubico.com/blog/introducing-the-expanded-yubikey-bio-series-yubikey-bio-multi-protocol-edition-early-access/
Oh that’s awesome! Thanks for letting me know
Any key has a pin? 🤔
External entry of the pin, means you avoid compromising it on a compromised computer.
It really depends on your thread model
In my opinion the fingerprint won’t do any difference anyway
Who are we protecting against?
Hackers? They can’t press the button
Thieves? They don’t have your pin
Someone close who knows your pin? Maybe, but this is really an overkill
Evil maid? If somebody can pull up evil maid attack, they can hack the fingerprint anyway
Governments? They hack or force you to unlock it anyway
Summary: my opinion is that fingerprint is an overkill which doesn’t protect from any real thread, but costs more and lacks some functions
If I compromise your system. I can record the pin. Then I just need to steal the device.
Think, who are you, and who am i?
I mean, how would you do it, and just why?
This is a very very very improbable scenario, too complicated, and too unlikely
There could be a thread model that would work with this feature well, but I don’t think any of us even theoretically is one of those people that would benefit from it
Define your thread model, and work from it
Most of the people have two main threads: hackers, and thieves, not hacker-thieves
Yes, but its not supported on everything. I use Yubikeys since they support more interaction types. I personally use them to lock my more important things when I can. Like my password vault, financial sites, emails, accounts, etc.
For the accounts that are whatever, less important I use OTP. You can also store a limited amount of OTP tokens on the Yubikey and use their open source software to view the codes.
ALWAYS buy a backup if you do end up locking accounts with it, just in case you lose it. It is more secure than having a code saved digitally as you need the physical key to unlock things.
I just ordered couple of yubikeys to play around with. Mainly because my phone died and couldn’t get into Gmail to get my bit warden two factor email without my phone to approve the Gmail login… Luckily phone came back online but was a bit scary to think how tied I was to my phone being operational.
If you put the yubico authenticator on another device you are back in business. If your phone is not literally your only computing device just install the desktop app. My problem with it (also a noob) is that apparently ANYONE can pick up your yubikey when you lose it, fire up the yubico app on their phone and learn what accounts you have protected with it. I’m guessing this is due to a config error on my part, but so far I have not found a solution.
removed by mod
Me too on the „need backup“. Any idea how to go about that? I know some sites have backup keys for otp but I have no process for storing then and avoiding a bind (like storing the 2FA for my vault in my vault and getting locked out).
I will probably have to play through scenarios or is there a comprehensive guide on this (probably)?
removed by mod
Pretty good idea with the yubikey. If they werent 50 bucks I‘d get one but thats a little much for an optional security device that has this one function. Still neat though.
removed by mod
Understandable. I‘ve had a recent „near miss“ if you will and since then I thought I might wanna check my security as a whole. So maybe I‘ll end up with that as well.
Is it possible to use generated keys as a login option on websites btw? I know its usable for ssh and git but i dont know about other sites. If you made one key for each site, they could never leak your password as they dont have it. Would be a ton of work though.
removed by mod
I use vaultwarden (selfhosted bitwarden), which stores both passwords and OTP keys on my own server, which I backup regulary. This allows acces to my OTP keys from any device, as long as it’s in my local network or connected to my VPN.
Must say I really like this solution. If one of my devices fail, I have a pretymuch seamless switch to any of my other devices, which are already configured anyways, since it’s also my passwordmanager.
If the server fails, my phone, pc and laptop all still have the keys cached, so I can use those untill I’ve restored a backup.
Thats my configuration as well. I didnt think of the cache. Thanks for mentioning it.
I do think having the mfa on there is risky as you factually disable mfa with it imo. Its basically 2 passwords in the same place.
2nd issue: my vault has mfa as well for the admin account which I cant store in there for obvious reasons.
So in combination I‘ll probably use a second vault to store these to keep them seperate. Will check out aegis for this.
For the first issue thats not realy true. To access the totp key you still need the actual device with the key, it’s only now split over multiple devices. Like having multiple bank cards for the same account.
For the seccond issue: Thats a good point, I have not found a good solution for that either, unfortunately
https://onlykey.io/
Built in hardware pin entry means your unlock code can’t be captured by a compromised machine. Emulates Yubikey if you need that, handles Fido / U2F, stores up to 12 passwords, acts as PGP and SSH key if you install the (open source) agent.
The SSH agent implementation is forked from https://trezor.io/ which is advertised more for crypyo wallet uses.
Edit: For OP’s concern about losing the key, it also has the ability to export an encrypted backup that can be restored to a replacement key
This is an interesting piece of kit, though I’m curious who the target market really is? Frankly I would be more comfortable regularly rotating my hardware security key’s password than I would be manually keying in my 2nd factors pin every time I need to use FIDO2 or TOTP. This would almost appear to be an excessive amount of security for me as an infosec professional which honestly makes me suspect it’s targeted towards a paranoid audience. Not that this wouldn’t have it’s applications. As a backup security key to be stored in a secure location this is definitely intriguing, but I can’t imagine using it on a daily basis.
I have one and I would not consider myself paranoid. I go to school part time and have to login with different accounts on rotating computers. It is nice to have a password manager I can plug into the PC instead of typing it off of my phone or having to memorize it.
Manually keying in the pin is only needed when plugging in the device. Challenges for TOTP, FIDO2, etc. are a configuration option, and are only 3 digits if enabled (press any button if disabled).
As for “excessive amount of security”, security as an absolute measure isn’t a great way to think about it. Use case and threat model are more apt.
For use case, I’ll point out it’s also a PGP and SSH device, where there is no third party server applying the first factor (something you know) and needs to apply both factors on device.
For threat model, I’ll give the example of an activist who is arrested. If their e-mail provider is in the country, they can compel the provider to give them access, allowing them to reset passwords on other more secure services hosted outside the country. The police now have the second factor (something you have), but can’t use it because it’s locked.
If your usecase and threat model don’t require the pinpad, Onlykey Duo is worth a look. No pin, USB A or C, and still gives you 6 slots to support any combination of Fido2, TOTP, SSH, PGP, and password storage.
I think “unnecessarily over-the-top” is a key demographic in every market. Not a large one, but definitely present.