My colleague and I recently gave a workshop about security keys where we tried to answer questions like:<p>* Why should I use a security key?<p>* What is it used for?<p>* How can I choose one ?<p>* What features should I look for?<p>We did cover FIDO2/Passkeys but also multiple other use cases.<p>Here are the slides if you're interested: <a href="https://tome.one/slides/amiet-pelissier-security-keys-workshop-ph0wn-2023-slides.pdf" rel="nofollow noreferrer">https://tome.one/slides/amiet-pelissier-security-keys-worksh...</a>
This space is confusing. FIDO2, U2F, UAF, CTAP, WebAuth, Passkey, 2FA, … The names frequently change.<p>Aren’t all of them just public key authentication (with the private key in a mini-HSM, and public key either calculated in real-time, or stored, in the HSM, and synced externally)?
I have a couple v1 Solokey Somus lying about. Good little devices. Unfortunately the main selling point of upgradeable firmware is moot if they no longer support the old devices and you have to upgrade. At that point it's they're like everyone else. Except they require some setup on some machines, whereas other keys "just work"<p>I've since replaced them with yubikeys. Yubikeys have a better feature set (at least compared to by v1's) and at this point are fairly mature/stable. V2 is still pitched as alpha quality, and probably will be deprecated with a v3. As much as I want Solokeys to succeed, I just can't recommend them either.
Am i the only one concerned about the tendency of putting your identity on hardware you possibly do not own?<p>What a wet dream for the internet controlling fascists when the adoption of "just wield your smart phone" auth would be in place and mandated every where.<p>Nothing compares to the secrecy of passwords.
I use an old Google Titan key, not the bluetooth model but the regular one, as my backup (it was my primary) and a Yubikey 5 for my primary. I like the peace of mind that they give me that no one can steal my password and login to my important accounts, but I found that certain providers only allow a single 2FA to be used, with no backup, so I don't feel good using them there (AWS, what the F?) and also I find that not a lot of services support 2FA in the form of keys, they all want to use TOTP or SMS generally, so I only can really use these for my Fastmail and Bitwarden and a few other accounts, but for my bank or my health insurance, they do not support FIDO keys. I also can't use them on any government sites! I know passkeys are going to rule the world soon, but I don't like the idea that my phone and a 3rd party have access to this 2nd factor; I prefer a separate key for this purpose.
As much as I want a hardware key, I still struggle with the practicality of having a backup key. I create new accounts on websites quite often, and the idea of having to go fetch my backup key out of a safe to register it (and hope the site allows multiple keys) just feels impractical (“I’ll do it tomorrow”). Not to mention—what if I’m at work, or out and about setting it up on my phone? Am I really going to remember to add my backup key when I get home every time?<p>Wish there were a way around this :/
I do use multiple keys and I like them a lot, but there is a big Issue I don't see mentioned a lot: you can't solo it on most services:<p>- Google forces you to also keep their stupid "verify on another device", where you can't even untrust specific devices without fully logging out
- proton apps don't support fido auth
- microsoft account only allows it on edge and afaik not at all on linux
- and so on..<p>I think the only service where I can fully disable other 2FA channels is github.<p>Edit: a word
My Yubikeys are great and have been since I started using them (2011), adopting newer products if necessary as they are released.<p>Passkeys are a confusing mess for most users, and the limited storage on Yubikeys doesn't help. However, 1Password's passkey support manages to reasonably successfully hide the confusions that always exist when explaining passkeys to anyone.<p>For now, I'm happy with my Yubikeys+1Password for all the platforms I use.
After looking at various keys and their features I chose basic FIDO2 with NFC with no storage or other fancy feature.<p>Keys with lots of feature have a larger code base and this means more bugs in the long term.<p>I use my FIDO2 keys for proxmox, ssh ed25519-sk, vaultwarden, nextcloud, GAFAM accounts.<p>Unfortunately I know of no bank that has adopted FIDO2/webauthn.<p>Note: Paypal only allows one FIDO2 key AFAIK, so not an option there.
There is something to be said about having a physical key for an online account. Beyond the security implications it's kind of like a key to your home. Locking the door keeps most out, but there are still ways in.
What do you think about the german Nitrokeys? Especially the features and compatibility of the Nitrokey 3?<p>Anyone has one of those?<p><a href="https://www.nitrokey.com/products/nitrokeys" rel="nofollow noreferrer">https://www.nitrokey.com/products/nitrokeys</a>
i use security key by yubikey (blue one, USB A) as one of the mfa. mostly for github and aws. and i personally like the "cool factor" when I have to "look" for the key when the sites ask for it. "bro, what are ya doing ya dingus?" "i literally can't login without the key, bro. like a real renter in a saas world!"