(Title needs the year since the article is from 2017.)<p>For keeping SSH keys, the PIV module seems a bit simpler than GPG. I just went through the process myself.[1]<p>They should also mention FIDO U2F, which already works well with Google, AWS and Github among others. Implementing it for your own site also seems doable.<p>1: <a href="https://blog.snapdragon.cc/2019/04/27/using-a-yubikey-to-secure-ssh-on-macos/" rel="nofollow">https://blog.snapdragon.cc/2019/04/27/using-a-yubikey-to-sec...</a>
I wish Yubikeys supported hardware AES encryption <i>on the device</i>, and a hardware entropy source (vibration, rf, probably couldn't fit atomic-decay-mesurement in a usb key, but something).<p>My personal tinfoil headwear has me believing that AES on any of the Big-2 CPU's is compromised, probably via key logging deep in the bowels of the die. And the RNG could have a similar backdoor.
I've got two Yubikeys already (a Neo, and an older barebones Yubikey that I got as a gift for getting an Ars Technica subscription), but so far Gmail is the only account of mine that is protected by it.<p>One repeated problem I've run into so far is that Firefox can read the Yubikey when it's inserted but it can't <i>add</i> the Yubikey as a new device yet. I have to pull up Chrome/Chromium to do so. After my most recent laptop reformat I vowed never to install Chromium again, even temporarily, so, out of luck until Mozilla gets that fixed, I suppose.
Shameless plug for a library that I wrote (still developing) for storing AWS API keys on a Yubikey (and signing API requests from the Yubikey): <a href="https://github.com/pyauth/exile" rel="nofollow">https://github.com/pyauth/exile</a>
Has anyone actually seen personal SSH or Git signing keys get stolen and used in attacks (not counting servers sitting on the internet with ssh open) ? It seems like the only really useful purpose for these tokens is as an MFA token, because passwords just suck. At the same time, it seems like long random bits that can't be remembered by humans just aren't so vulnerable that we need to carry around something to unlock them.<p>Maybe the issue is just that it's so easy to attack password-protected systems that nobody even needs to attack keys.
I like the added security of yubikeys, I use it for Google account and Facebook. Sadly it won't easily work everywhere, I seem to always have issues with my smartphone (missing adapter or rfid not working well), but my biggest pain is it doesn't work on PS4, my youtube account always gets unlinked randomly, than I need to go my computer, disable 2FA, sign-in on the ps4, and reenable 2FA.<p>I like the idea of SSH'ing with it, ill give that a shot.
Storing your 1Password Master Password on a yubikey seems like a really bad idea for most threat models. This means that anybody in physical possession of the Yubikey can immediately and permanently steal your master password. Additionally, for shared computers, anyone who can run code on that system can log static creds, the same as if the user typed it.
I've been using a Trezor crypto wallet for most of these things; it has password manager features but I haven't switched from LastPass for that yet.<p>I've even enabled U2F 2FA on my work desktop for log in, and use it as 1FA to unlock the screenlock, and it automatically locks when I unplug it. Very slick. You could do similar with YubiKey.
Does anyone use a Yubikey for personal rather than business/employment situations? Would a Yubikey ring make any sense for personal use (for example, you have Yubikey ring that connects via NFC with your device (phone, computer) and is require for auth'ing financial transactions?