this post was submitted on 30 Nov 2023
32 points (94.4% liked)

Privacy

1221 readers
47 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
 

Hey everyone,

I am currently using an old(er) HYPERSECU FIDO key, USB-A with a button, and I am looking to

  • secure my phone as well (NFC) and, if possible
  • add biometric authentication to the mix.

Are there good alternatives or better: upgrades to the YubiKey which do support NFC as well as biometrics and come with a USB-C?

Thanks for your time ๐Ÿ‘‹

all 18 comments
sorted by: hot top controversial new old
[โ€“] chemicalwonka@discuss.tchncs.de 10 points 11 months ago (1 children)

No doubt, Nitrokey.

Made In Germany โค๐Ÿ‡ฉ๐Ÿ‡ช

Fully open source

Anti tempering

[โ€“] omnissiah@iusearchlinux.fyi 2 points 11 months ago

You can also compile your own firmware. Updates are also verifieable

[โ€“] vrek@programming.dev 8 points 11 months ago (2 children)

I know yubikey is the biggest in the market and it's always good to have alternates but is there a reason you don't want them?

I thought their security was pretty good and haven't heard of any breaches.

[โ€“] jbk@discuss.tchncs.de 4 points 11 months ago (1 children)
[โ€“] vrek@programming.dev 2 points 11 months ago

I think I paid 35 for USB-c and nfc... You think that is severely overpriced?

[โ€“] dog@suppo.fi 3 points 11 months ago (1 children)

May be similar issue as mine. Yubico has pretty awful on-device password support, but for MFA it works. With yubico you're better off thinking of per-site passphrases that you keep in memory in addition to their one-click password entry, so it gets memory heavy.

[โ€“] vrek@programming.dev 2 points 11 months ago

My main thing is my paaword manager is protected by 2fa...maybe not 100%secure granted, but I am not a state level actor and have no major money/property to steal. That's probably why I have no similar issues.

[โ€“] dog@suppo.fi 5 points 11 months ago* (last edited 11 months ago) (1 children)

Out of left field, but take a look at Trezor. They specialize in cryptocurrency hardwallets, but by extension, they also offer password/2fa functionality on their devices. No biometrics* that I'm aware of, but PIN protection is mandatory.

Site: https://trezor.io/

[โ€“] ExperimentalGuy@programming.dev 1 points 11 months ago (1 children)

Which one of their products would you recommend specifically?

[โ€“] dog@suppo.fi 1 points 11 months ago

Either Safe 3 or Model T. Model T is their best option, but very costly. Safe 3 seems to be upgraded Model One for 10$ more.

[โ€“] jet@hackertalks.com 5 points 11 months ago* (last edited 11 months ago) (1 children)

You didn't mention it in your write up, so it's worth iterating that yubikey does have a bio series, USB-C fingerprint reader :

https://www.yubico.com/products/yubikey-bio-series/ fido2, usb-c, fingerprint

Feitian bio series

https://www.ftsafe.com/products/FIDO/BIO fido2, usb-c, fingerprint, nfc

Honerable mention, no NFC or fingerprint, but the only key has a hardware keypad for your pin. https://onlykey.io/

[โ€“] dog@suppo.fi 3 points 11 months ago* (last edited 11 months ago) (1 children)

The issue with onlykey is the static key placement. Trezor for example randomizes key positions, so even if someone gets the key, they won't be able to guess the PIN based on greasemarks and such.

Also more resistant to over-the-shoulder spying.

[โ€“] jet@hackertalks.com 2 points 11 months ago* (last edited 11 months ago) (1 children)

The trezor looks cool, but it's a bit bulky to put on a key ring. I wouldn't want to carry it around as my second factor.

The benefit of external factors, like a fingerprint reader, like an external pin input is that a compromised computer doesn't get the something you know.

[โ€“] dog@suppo.fi 2 points 11 months ago (1 children)

It's a question of what your privacy/security model is. I currently use Yubikey + Bitwarden with a strong main password. If I had to be paranoid, I'd sacrifice convenience for security, and carry a Trezor around.

[โ€“] jet@hackertalks.com 1 points 11 months ago* (last edited 11 months ago)

Personally I think the yubikey fingerprint hardware key plus bit warden is an excellent combination even if you need to be very paranoid.

[โ€“] g33z@infosec.pub 2 points 11 months ago (1 children)

Nice suggestions, thank you very much, everyone.

So as I see it, there is no jack of all trades here, no device supporting modern encryption standards, having biometrics and NFC support and is best case made in Germany, at the moment. ๐Ÿค“

I went for a YubiKey last night, I am sure it is good enough. ๐Ÿ˜… And thanks again for your suggestions.

[โ€“] jet@hackertalks.com 1 points 11 months ago

The feitian device I linked up thread is the jack of all trade you out