scy, 3 months ago to random

I'm about to buy a new #YubiKey (or maybe even two), and I'm a bit undecided between two models, the 5C (picture 1) and the 5C NFC (picture 2).

Who of you has either of these models, or even both, and can say something about the build quality?

I already own a 5 NFC (picture 3), i.e. with a USB A connector. This thing is rock solid. It's been on my keychain for years and would probably survive another 5 to 10, but picture 4 from a review with "one year on the keyring" made me pause.

#askFedi

Product photo of a YubiKey 5C NFC. A rectangular device, 18×45×4 mm in size, black plastic case, with a USB-C connector on one end and a hole to attach to your keyring on the other. It looks like a flat flash drive. In the center, there's a gold-filled circle with a lower-case Y and three small arcs symbolizing "wireless" on it; a touch surface to confirm things.
Product photo of a YubiKey 5 NFC. It looks very similar to the 5C NFC, but has a flat, blade-type USB-A connector instead, which is simply four parallel stripes of exposed contacts embedded into the black plastic.
Photo of two YubiKey 5C next to each other on some sort of mouse pad. One looks pretty fresh out of the box, while the other is attached to a keyring with other things on it. Its black plastic looks more mangled, rounded-off, maybe even having dents in some places.

scy, 3 months ago to random

Pondering whether to move my #2FA #TOTP secrets to a #YubiKey.

Pro:
• stored safely on protected hardware
• secret "cannot" be extracted
• can access TOTP codes from an untrusted device, e.g. if my phone's battery is empty

Con:
• backing up the secrets is "not possible"
• having a second YubiKey for redundancy is recommended, but both need to be present when setting up a new secret (or you need to store a copy of the secret somewhere else)
• only has 32 slots (but I only have 23 TOTPs atm)

hko, 3 months ago to rust

The oct tool for inspecting, configuring and using OpenPGP card devices (https://crates.io/crates/openpgp-card-tools) is on "This Week in Rust":

https://this-week-in-rust.org/blog/2024/02/21/this-week-in-rust-535/#projecttooling-updates

Yay! 🎉 Thanks again, @dvzrv 😀

#rust #rustlang #OpenPGP #nitrokey #yubikey #SmartCard

mima, 3 months ago to fediverse

Why does #Sharkey / #Misskey need an "authenticator app" registered before you can use a hardware key? That doesn't make sense #security wise.

Yeah I know it's to prevent people from just accidentally getting locked out of their accounts, but there should be an option for #FediAdmins to allow this risk. 🤔

#2FA #yubikey #hardwarekey #cybersecurity #twofactor #twofactorauth #twofactorauthentication

ho1ger, 3 months ago to passkeys German

Ich habe in den letzten Tagen etwas mit #Passkeys und einem #Yubikey gespielt. Coole Technik, sollte man mal ausprobieren → https://ho1ger.de/2024/02/14/selbstversuch-passkeys-mit-und-ohne-yubikey/

luxas, 3 months ago to random French

Franchement la #Yubikey c'est génial. Authentification ssh avec ma clef privée matérielle via NFC ou USB. Marche nickel avec #termux. Mangez en.

Edent, 4 months ago to random

What services do you use which work with #WebAuthn / #Yubikey / #FIDO2?

I'm testing a new product and want to see where it works and where it doesn't.

Thanks gang!

yawnbox, 4 months ago to VisionPro

i can't even sign into my #VisionPro

freemo, 4 months ago to security

It was a very very long weekend preparing Yubikeys with pgp keys.

#yubikey #pgp #gpg #security #OpenPGP

todd_a_jacobs, 4 months ago to iOS

This is more of a security question, but I currently know way more people on ruby.social than infosec.exchange. I want to use a #Yubikey for #SMIME or #GPG signing on #iOS & #iPadOS, but can't find:

1. Any documentation about how to integrate it with Apple Mail.

2. Anyplace that offers #x509 certificates for S/MIME at zero or minimal cost the way @letsencrypt offers free #SSL certs.

Self-signed S/MIME certs are a non-starter, and there are no full-featured #OpenPGP apps on iOS. Suggestions?

governa, 4 months ago to random

Yubikey-Guide: a very complete (and long) Guide to use #YubiKey as a SmartCard for storing #GPG encryption, signing and authentication keys, which can also be used for #SSH

https://github.com/drduh/YubiKey-Guide

DD9JN, 4 months ago to random

Folks who created a #Smartcard or #Yubikey on the command line with #GnuPG 2.4.2, 2.4.3, or 2.2.42 please read:

https://gnupg.org/blog/20240125-smartcard-backup-key.html

kuketzblog, 4 months ago to android German

Sobald Passkeys offiziell für KeePassXC (Desktop) und/oder KeePassDX (Android) verfügbar ist - nicht als Beta, sondern als Stable - wird es einen Beitrag dazu geben. 🔒

#keepass #keepassdx #keepassxc #android #passwort #passkeys #sicherheit #security

nono2357, 4 months ago to security

#Security #tips on using #YubiKey and #FIDO #U2F
https://www.cossacklabs.com/blog/security-tips-on-using-fido-u2f-and-yubikey/

Tutanota, 5 months ago to privacy

Keeping your #encrypted mailbox safe & secure is our #passion. 🥰

In light of the news that Authy is discontinuing their desktop app in August of 2024, we want to let everyone know that Tuta supports all major authenticator apps & U2F keys. 🔐

No need to worry about compatibility when making the jump to a new authenticator app.🤹

👉 https://tuta.com/blog/posts/2fa-tutanota-supports-two-factor-authentication

#Yubikey #aegis #2FA #privacy

hoelli, 5 months ago to random German

Ich versuche (verzweifelt) meinen Passwortmanager #strongbox gerne auf nem iOS mit nem #Yubikey 5C NFC absichern und brauche dabei etwas Hilfe. Vielen lieben Dank schonmal 🙂
Gerne auch ein Boost

Scraft161, 5 months ago to infosec

Hardware security key options?

I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.

I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.

As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.

PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.

@linux @technology @technology @privacy #2FA #MFA #yubikey #InfoSec #CyberSecurity

douginamug, 5 months ago to linux

just got the #passkey demo on https://www.passkeys.io/ working on #linux

• distro: pop OS ("Ubuntu")
• browser: #firefox 120.0.1
• seurity key: #yubikey 5 NFC

'just worked' after setting a #FIDO2 PIN via YubiKey Manager https://support.yubico.com/hc/en-us/articles/360016649039-Enabling-the-Yubico-PPA-on-Ubuntu#01H30DBXGX5RDD4AM7M815GAA3

mjaschen, 5 months ago to wordpress German

#Wochenrückblick, Ausgabe 19 (2023-50).

Diesmal mit dem #ShepardTone, #Yubikey, U-Bahn-Stationen aus aller Welt in großartigen 3D-Modellen, dem selbstgebauten #DieHard „John McClane in Ventilation Shaft“-Baumanhänger samt Beleuchtung, #WordPress und #Testing, #PHP und #ValueObjects, #Puzzle-Nerderei und wie immer #Techno (und #ItaloDisco)

nono2357, 5 months ago to random

#YubiKey #Authentication With #PAM
https://cromwell-intl.com/cybersecurity/yubikey/pam_pkcs11.html

Foxboron, 6 months ago to security

Largely how I feel about the entire push towards FIDO and hardware tokens.

#FIDO #Yubikey #Security

strobelstefan, 6 months ago to random German

Thunderbird GPG Ready - E-Mails verschlüsseln und signieren

Thunderbird bietet die Möglichkeit E-Mails mit OpenPGP zu signieren und zu verschlüsseln.
Das E-Mail-Programm bietet eine übersichtliche GUI zur Verwaltung und hilft damit dem Benutzer bei der Einrichtung und der Arbeit mit der Verschlüsselung.

https://strobelstefan.de/blog/2023/12/06/thunderbird_openpgp_ready_-_e-mails_verschl%C3%BCsseln_und_signieren/

#thunderbird #gpg #yubikey

ljrk, 6 months ago to passkeys

Wow, the comments on my article on #Passkeys in the German #iX/#heise has shown me a lot of misconceptions people have:

• No, you don't need to synchronize Passkeys
• nor do you need to use Google/MS/Apple
• nor is storing an encrypted binary blob a big danger
• Passkeys aren't just autofilled #passwords: they use challenge auth, not shared secrets!
• #TOTP 's aren't better because they're a real #2FA. Actually they suck against #phishing.
• A secure enclave can still be used, but it's mostly used for decrypting the keychain, not storing it
• You can still use #YubiKey 's, either with discoverable creds (uses 1 slot each) or non-discoverable creds (1 slot for all Passkeys)

Generally, I think the term 2FA is misleading. Not all 2FA is created equal. One could even argue that Passkeys are "less" 2FA than Password+TOTP -- and yet, it's more secure in most attacks because it can't be phished.

A lot of people seem to think that the more annoying and difficult to use a technology is, the more secure it is. We have the same problem with passwords and their complexity. We humans suck at guessing how secure something is through intuition.

Article:
https://www.heise.de/meinung/Kommentar-Passkeys-sind-toll-fuers-Internet-und-schwierig-in-Unternehmen-9543202.html

Edent, 2 years ago to security

Where are the U2F Rings?

The FIDO specification defines a form of Universal 2nd Factor (U2F) when users log in to a system. Rather than relying on one-time codes sent via SMS, or displayed on a phone screen, these are physical hardware tokens which are used to supplement passwords. When used with websites, this technology is also known as WebAuthn.

I use a USB thumb-drive sized hardw

https://shkspr.mobi/blog/2022/02/where-are-the-u2f-rings/

#/etc/ #nfc #security #WebAuthn #yubikey