I am thinking about buying a pair of physical 2FA keys to protect my password manager and sensitive accounts. Which brand and model do you suggest?
If a model with open source firmware doesn’t come with big drawbacks, I’d prefer it, because I may learn from the source code and even contribute to it.
NFC is not necessary, and the keys should be USB-A. A fingerprint reader is welcome if the price doesn’t increase too much.
Thank you all in advance.
You must log in or register to comment.
I use Yubikey 5C NFC. You can get it for ~29€ last time I checked.
6 FIDO keys in one.
That’s cool, strange I didn’t stumble over it when I was searching for these keys. Have you got one? Is it durable?
I got one years ago. Used it for quite a bit. Worked great, but I stopped using it when my daily computer didn’t have a USB-A port any more.
You do have to remember what each numbered button is for.
I use Yubikey Bio and NitroKeys.
Edit : to expand a bit, for the YubiKey it’s for the convenience of just pushing my thumb on. I use it on the Web and to
sulocally. For NitroKeys I’ve discovered them via https://nlnet.nl/project/Nitrokey-3/ and thus appreciate the OSHW side, e.g https://certification.oshwa.org/de000007.html or https://certification.oshwa.org/de000008.htmlThe one I have on me. Which happens to be my Yubikey currently.
Yubico is industry standard for a reason. The current 5 model will have all the features you need and they are basically indestructible.
Why do folks seem to prefer Yubikey over alternatives like Nitrokey or Token2?
So far nobody provided a good answer (if I missed it, I apologized, please do share) so I’m going to assume it’s the typical “Nobody ever get fired for buying from IBM” mindset, namely rely on what is the most popular, confirm it works well while ignoring viable alternatives IMHO, e.g NitroKey.
I’m going to assume it’s the typical “Nobody ever get fired for buying from IBM” mindset
That’s pretty much it exactly. Yubico has the required features, are widely supported, and are widely used. They have a track record of reliability.
Other viable alternatives definitely exist, but they don’t have the same real-world penetration. The disadvantage with that is if you run into a platform-specific issue, finding someone who has had the same issue before and posted the solution somewhere becomes far less likely.
if you run into a platform-specific issue
Well that’s of course possible but in theory (which is so different from practice, I get that) if it relies on protocols or specifications rather than vendor specific implementations, e.g. OTP, TOPT, HOTP, U2F, OpenPGP, WebAuthN, etc then it should be fine.
That the same thing I asked myself…
The firmware isn’t open source and I only chose it for the employee discount, but the blue Yubico security key has held up well over hundreds of uses and several years jingling around in my keychain.
Do you mean TOTP? FIDO? Or what? FOSS ones exist but they might not do exactly the right thing. I’ve had some ideas for self-built too. What would you do on the host interface side? Wouldn’t you want the host to not have the secret?
It’s an interesting question.
I would use it for FIDO2 authentication
