I am trying to increase the security of my accounts and have enabled MFA on as many of the accounts that I can, using Google Authenticator. I am thinking about getting a key like Yubico instead of having to use Google Auth, is it more secure? Better? Do any of you guys use this?
A u2f key protects you better from phishing, but unfortunately the number of sites that support it is very limited. Luckily it includes google and facebook, so you can harden these two, and use social login where u2f isn't supported.<p>As for the security key, you should check the support for your devices, ios is generally more problematic (keep in mind that even if you have an android phone, but you have an ipad, you prob need support for ios too). I wrote a blog post about this a while ago: <a href="https://medium.com/@0x0ece/googles-advanced-protection-program-with-iphone-and-ipad-5f30802885e7" rel="nofollow">https://medium.com/@0x0ece/googles-advanced-protection-progr...</a>
I use a yubikey for the few places that support u2f (google, github).<p>I still use Authenticator for a bunch of places that don’t support u2f.<p>It likely wouldn’t be worth it if I didn’t also carry the yubikey for ssh public key.
I use a Yubikey NEO myself which is nice but not a heap of services support it.<p>Probably my favourite feature, which gets very little attention, is that you can store your MFA tokens on your key. Scanning a Yubikey NEO with the Yubikey app open will show your keys. Lost your phone? It's fine because you can just install the app on your new phone and there they are without being tied to a centralised service.<p>You can also store your GPG key on it but you're forced to only use 2048 bits over the highest setting of 4096. All it means is you need to have your key in to eg; sign commits which is a bit less convenient than reading from disc.<p>Oh yeah, I use the Windows subsystem for Linux and it doesn't support reading the Yubikey so it renders GPG signing useless for now. There was an update recently that increased USB support but I don't think it applies for USB hardware keys. I haven't tried though.<p>It's also worth nothing that Google doesn't follow the U2F spec which means that authenticating with their stuff only works inside Chrome. You can just fall back to SMS or MFA.<p>One thing I notice with Github is that if I don't have my Yubikey nearby, the only other default is MFA but with my tokens on my Yubikey... yeah, you can't just drop back to SMS so you gotta have it on you (for the first time/new browser) haha<p>tl;dr They're cool for "important" accounts ie Github, Google, GPG key storage is just ok and storing MFA tokens on it is pretty rad