Hey everyone,

I am currently using an old(er) HYPERSECU FIDO key, USB-A with a button, and I am looking to

  • secure my phone as well (NFC) and, if possible
  • add biometric authentication to the mix.

Are there good alternatives or better: upgrades to the YubiKey which do support NFC as well as biometrics and come with a USB-C?

Thanks for your time 👋

  • vrek@programming.dev
    link
    fedilink
    English
    arrow-up
    8
    ·
    11 months ago

    I know yubikey is the biggest in the market and it’s always good to have alternates but is there a reason you don’t want them?

    I thought their security was pretty good and haven’t heard of any breaches.

    • dog@suppo.fi
      link
      fedilink
      arrow-up
      3
      ·
      11 months ago

      May be similar issue as mine. Yubico has pretty awful on-device password support, but for MFA it works. With yubico you’re better off thinking of per-site passphrases that you keep in memory in addition to their one-click password entry, so it gets memory heavy.

      • vrek@programming.dev
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        My main thing is my paaword manager is protected by 2fa…maybe not 100%secure granted, but I am not a state level actor and have no major money/property to steal. That’s probably why I have no similar issues.

    • dog@suppo.fi
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      11 months ago

      The issue with onlykey is the static key placement. Trezor for example randomizes key positions, so even if someone gets the key, they won’t be able to guess the PIN based on greasemarks and such.

      Also more resistant to over-the-shoulder spying.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        11 months ago

        The trezor looks cool, but it’s a bit bulky to put on a key ring. I wouldn’t want to carry it around as my second factor.

        The benefit of external factors, like a fingerprint reader, like an external pin input is that a compromised computer doesn’t get the something you know.

        • dog@suppo.fi
          link
          fedilink
          arrow-up
          2
          ·
          11 months ago

          It’s a question of what your privacy/security model is. I currently use Yubikey + Bitwarden with a strong main password. If I had to be paranoid, I’d sacrifice convenience for security, and carry a Trezor around.

          • jet@hackertalks.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            11 months ago

            Personally I think the yubikey fingerprint hardware key plus bit warden is an excellent combination even if you need to be very paranoid.

  • dog@suppo.fi
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    11 months ago

    Out of left field, but take a look at Trezor. They specialize in cryptocurrency hardwallets, but by extension, they also offer password/2fa functionality on their devices. No biometrics* that I’m aware of, but PIN protection is mandatory.

    Site: https://trezor.io/

  • g33z@infosec.pubOP
    link
    fedilink
    arrow-up
    2
    ·
    11 months ago

    Nice suggestions, thank you very much, everyone.

    So as I see it, there is no jack of all trades here, no device supporting modern encryption standards, having biometrics and NFC support and is best case made in Germany, at the moment. 🤓

    I went for a YubiKey last night, I am sure it is good enough. 😅 And thanks again for your suggestions.