HW Security Keys - 2023 - State of Tech?
from nickwitha_k@lemmy.sdf.org to cybersecurity@infosec.pub on 18 Aug 2023 21:13 +0000

Hello all!

I’m wondering what folks who are more involved with infosec and have their fingers on the pulse are thinking for best devices and practices at this time.

From my perspective, modern computing has made MFA a requirement for pretty much everything. I’m not a fan of app-based as it is too fragile and increases possible attack surface.

When it comes to HW keys, I see a few factors:

The first one is fairly straightforward - do you have trust in the place of manufacturer and the components used? Or, is there some other philosophical reason (ex. labor conditions)?

The second and third are a bit less clear. It seems to me that the more open the source, the more auditable and verifiable, however, this seems to be inversely related to the chance that a device is certified by the FIDO Alliance. I’m not sure if this is due to it being a commercial working group or costs involved being more likely to be prohibitive for OSS/OSHW projects. Any other certifications recommended?

While I would rather the verifiability of open-source, it seems like Yubico’s offerings might be winning out in the other categories for the price. Any thoughts?


silent_water@hexbear.net on 18 Aug 2023 21:37 +0000 next

nitrokey – they’re open source and mostly support the new FIDO standards at this point.

PaddleMaster@beehaw.org on 19 Aug 2023 02:35 +0000 next

YubiKeys are pretty great. I use it. I hate when you have to authenticate via sms, and apps are slightly better.

If you get a YubiKey, you can use it to authenticate into your password manager. I know some people who do only that and they use the randomize password function that’s long and would never be human memorizable.

If you don’t do that, support for the key is listed on their website. There’s enough support on various platforms to make it worth it. But I was surprised the list was so small. I do wish more financial institutions would get with it. Most of my banks only do sms.

Technoprenerd@infosec.pub on 20 Aug 2023 19:21 +0000

Also take a look at SoloKeys (solokeys.com) and OnlyKey (onlykey.io).

noUsernamesLef7@infosec.pub on 22 Aug 2023 01:19 +0000

I bought an OnlyKey a few months ago and love it.