I see a lot of confusion in this thread (warranted, because it's a confusing subject), and I want to clarify a few things:<p>U2F is the old standard, it is only meant be used as a second factor.<p>WebAuthn is the new standard, it has different modes for usage as a second factor, first factor and single factor (usernameless). Only the usernameless mode requires state on the client side.<p>Usernameless strikes me as the holy grail of authentication, where we don't need to remember any usernames or passwords (or even have them), but I haven't seen any websites that support usernameless authentication, other than demo ones and my own.<p>If you want to see what a usernameless flow looks like, you can visit <a href="https://www.deadmansswitch.net/" rel="nofollow">https://www.deadmansswitch.net/</a>. You have to log in with an email link first, and then associate your FIDO2 credential with it. You don't need a hardware key, for example on phones you can use your fingerprint reader and it will work fine.<p>The problem with hardware keys, and which is not mentioned anywhere, is that because usernameless requires storage on the key, Yubikeys only support a maximum of 25 sites you can authenticate with.<p>In order to further my goal of some day ditching password managers, I also made a Django library for usernameless logins which you can use today on your Django sites:<p><a href="https://pypi.org/project/django-webauthin/" rel="nofollow">https://pypi.org/project/django-webauthin/</a>
I am probably wrong, but I think Fido2 keys should be ubiquitous. They provide a hardened solution for some security situations, certainly they could be a good 2nd factor or 3rd, and hopefully they could reduce the password madness we have. Yubico appears focused on the enterprise and high end users resulting in higher prices. Solokeys seems more focused on individual users with lower prices.<p>Disclaimer I have two Yubico keys, and two Solokeys and they all work for me, but I don't need the extra functionality of the more expensive Yubico keys.
I have two OnlyKeys I backup against the other to handle the lack of ubiquity of FIDO2. So many places are still only using SMS, but as an alternative, have built proprietary, in-app authentication systems that can't be audited. I had a phone break, and I wanted to purchase a new phone online to have it ship when I returned; and I couldn't access my remote work paycheck transfer (in-app), I couldn't log into my bank (SMS + in a different country so not the same SIM), and I couldn't log into the more popular online shopping (SMS).<p>Auth needs to be able to be decoupled from phones. With the OnlyKey, I've stored the important TOTP keys as well like my email as well as password for my password manager. Being as 'dumb' as they are, I've had it go through the wash still working fine.
Excited to see an open source hardware key solution on the market to compete with yubico.<p>I’ve been working on my own saas app to handle authentication for any app using the web authentication framework.<p>hoping we start seeing more options to login using only hardware (plus pin to be extra safe) on all websites.
I got a Solokey as part of the Kickstarter and love em. USB-C + NFC in one device.<p>The one thing I'd love out of a security key is the ability to set up a "Twinned Pair". So I can have one key on my keychain that I use everyday and one I keep in my safe in case something happens to the primary. Yes, I know some services support multiple security keys - but setting up two is more work and not all services do support two.
Physical hardware seems like a promising replacement for passwords. But is there any real adoption in consumer services right now? The only two services I know that suppport Fido2 are Google and GitHub. Are there any other big services I'm missing here?
So I have a SoloKey. How do I check what firmware it is running? Is the firmware upgraded automatically, or do I have to do something? The SoloKey website from some quick skimming doesn't seem to have any information on the topic.
Oh my... I saw FIDO2 and immediately (for some reason) thought it was a resurgence of FidoNet: <a href="https://en.wikipedia.org/wiki/FidoNet" rel="nofollow">https://en.wikipedia.org/wiki/FidoNet</a> and somehow someone built a new FidoNet with security and audits.
I was wondering if there is any driverless USB smartcard that can speak GIDS?<p>The GIDS login for our sysadmin worked wonderfully, but the downside is the reader.