Hardware security key options?

I’ve been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.

I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.

As I use linux as my primary OS I do expect it to support it and anything that doesn’t I will have to pass on.

PS: what are the things I need to know about these hardware keys that’s not being talked about too much, I am very much delving into new territory and want to make sure I’m properly educated before I delve in.

@linux @technology@lemmy.ml @technology@lemmy.world @privacy #2FA #MFA #yubikey #InfoSec #CyberSecurity

  • Justin@lemmy.jlh.name
    link
    fedilink
    English
    arrow-up
    20
    ·
    10 months ago

    There’s a Swedish startup named Tilitis making open source, verifiably secure hardware keys, but they’re not well supported at the moment.

    https://tillitis.se/

    Yubikey probably has the widest support for things like password managers and automatic sign in.

    • Goku@lemmy.world
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      10 months ago

      I use yubikey, hard to find sites that fully support yubikey services (the one touch feature)

    • As to why thisisawayoflife recommends these products (over OP’s consideration of Yubico), probably because Solo and Nitro keys are open source hardware and firmware.

      Nitro is a German company. Yubico is a Swedish company. I can’t find where SoloKeys is located. However, the OS nature of Solo and Nitro should make that a little less important.

    • nikoof@feddit.ro
      link
      fedilink
      arrow-up
      2
      ·
      10 months ago

      I also recommend Nitrokey. I have a Nitrokey Pro 2 and a Nitrokey 3 NFC and they both work well. Linux support is very good, and they also have good documentation on how to do most stuff you might want to do. +1 for being open-source as well.

      • magikmw@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        10 months ago

        Well I might be ignorant of first principles, but I couldn’t get a nitrokey I got for testing to work with anything.

        Not that yubikey is easy.

      • LemmyHead@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        10 months ago

        Nitrokey isn’t fully open source though. The secure element is proprietary. But that’s not their fault, OSS secure elements aren’t a thing yet unfortunately, but some companies wanna bring a change in that

  • WorstCase@lemmy.world
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    10 months ago

    While Keepass has the ability to use a Yubikey (or similar) as 2FA (masterpassword is still required), this does not work on the mobile (Android) apps I tried. If you can make it work, please let me know!

    Other than that: I got my Yubikey working ok on Linux Mint. But somehow the first login often does not work as expected (you have to touch the key). That is why I don’t use it anymore as 2FA for computer login.

    • Corroded@leminal.space
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      10 months ago

      Yubikeys can work with KeePassDX you just need to install the key driver and have NFC enabled

      Also I’m pretty sure you are always supposed to touch the key initially when you use it for things like unlocking your KeePass database and what not

    • Scraft161@tsukihi.meOP
      link
      fedilink
      arrow-up
      1
      ·
      10 months ago

      I don’t have a key yet (which is why I’m asking) and I definitely want it in combination with passwords (they can take the key using force; but they can’t take thoughts out of my head just yet).

      As for android apps not working with the yubikey: try giving KeePassDX a shot; I got it from F-Droid and it does give me a hardware key field with the option to autofill with “Yubikey challenge-response”.

  • LainOfTheWired@lemy.lol
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    10 months ago

    Nitrokey would probably be my choice as both the hardware and software are open source( in fact you could probably build your own if you wanted to). I don’t trust yubikey as the firmware that runs on them is closed source so you just don’t know of it’s actually secure.

    • library_napper@monyet.cc
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      10 months ago

      This. Yubikey is not libre hardware, not sure why they’re so popular. I’d avoid any closed-source hardware for security devices. Its a bad idea.

  • MiddledAgedGuy@beehaw.org
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    10 months ago

    Yubikey and OnlyKey are the only hardware keys that work with keepassxc. So if that’s a requirement for you, then those are your only options. This is true for me as well.

    They cover this in their docs and faq page: https://keepassxc.org/docs/#faq-yubikey-2fa. OnlyKey is an unknown to me while I’ve heard of Yubikey for years.

  • Freddyyeddy@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    10 months ago

    Onlykey. It’s u2f. And has up to 12 or 24 depending on how you setup username password combinations. It’s got a physical pin required and you can set what happens on 6 failed attempts. Like nuke it’s own firmware and (quantum proof encrypted alg) password and keystore. It requires no software on machine (after setup) so you can use it on machines you don’t own and don’t need to install middleware (I’m looking at you nitrokey) If you use Linux you can use it as a ssh private key and login method requiring challenge response (via its pin pad) (windows support for it is middleware to do this is …not easy). It’s a true one way write… you add a password in all you can do is overwrite never read from it. https://onlykey.io/. Ive been using it my corporate IT day to day for 3 years.

  • stark@qlemmy.com
    link
    fedilink
    arrow-up
    2
    ·
    10 months ago

    Crazy coincidence that I was just researching hardware keys today. Why go with a hardware key over a free, open source TOTP generator like Aegis?

    • Scraft161@tsukihi.meOP
      link
      fedilink
      arrow-up
      1
      ·
      10 months ago

      For many TOTP may be a good option; but my experience with TOTP has been less than subpar.

      Initially I did use TOTP like you’re supposed to; but after my last phone died I had to set up TOTP on the accounts that used it *after* getting into them without it using backup codes.
      This lead me to put the TOTP stuff inside my KeePass vault (as KeePassXC supports TOTP) which is backed up (unlike most TOTP solutions I’ve used).
      The problem now is that my 2FA keys are stored in the same location as my passwords… (not that I’m worried about someone breaking the vault; but this is *not* how 2FA is supposed to work).

      Additionally I have some other issues with TOTP that make it far from ideal for me and hardware keys seem to be a good fit to solve my issues with TOTP.

    • Scraft161@tsukihi.meOP
      link
      fedilink
      arrow-up
      1
      ·
      10 months ago

      Let’s *NOT* go that route.

      I’m very much looking for a hardware key to avoid biometrics (I can have a field day expressing my opinions on those; but in general they tend to be the weakest MFA factor and most have known working bypasses based on photos).
      This leans a little too close to that for me to consider, let alone all of the things you have to consider when putting implants in your body.

      • carzian@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        10 months ago

        Just wanted to add something different from the other posts, definately not recommending it.

        That being said, it is a hardware key. You can set it up as a Fido2 key, making it as secure as any of the other options here, it is not biometrics.

        Like I mentioned, you have to be a little crazy to go that route

    • Norah - She/They@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 months ago

      Thanks for this, I’ve actually been seriously considering a microchip implant for a while, is it open source? I don’t want proprietary code inside me if I can help it.

      I’ve had a magnet embedded in my pinky for about 7 years now. It’s wild fun having an extra sense, I’ve actually been planning its replacement as it’s gotten much weaker the last year or so. Neodymium magnets do eventually lose their charge, and heat causes it to happen faster.

      • Para_lyzed@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        10 months ago

        It runs JavaCard OS, which is developed by Oracle and not open source. Even though it also runs JavaCard OS, I’d recommend the flexSecure JavaCard from Dangerous Things (for the same price as the Apex Flex), because all of its applets are open source: https://dangerousthings.com/product/flexsecure/. It isn’t quite as “seamless”, because it doesn’t have the closed-source app store available for it that the Apex Flex does, but it instead uses open-source applets that you can load onto it. Regardless, either option will run a closed-source OS, but as far as secure verification goes (by using challenge-response instead of static keys which could be read and copied like old RFID tags), JavaCard is currently the best option. And as far as implantable chips go, the flexSecure JavaCard and the Apex Flex are the 2 best chips on the market to my knowledge.

        The silver lining is that there are plenty of open source applets you can run on JavaCards (like the flexSecure ones written by Dangerous Things)

        • carzian@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          10 months ago

          Great answer, I will add that another major difference between the Apex Flex and the FlexSecure is the FlexSecure comes with factory default signing keys (which you can change), while the Apex Flex does not. This means you can’t add your own applets the Apex Flex. Para_lyzed touched on this but I wanted to emphasize that the flexsecure gives you the ability to fully manage the implant while the Apex Flex doesn’t. There are trade-offs of course.

  • 413j0@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    10 months ago

    I personally just have 3 u2f keys from different brands, one of them is a yubikey, but I only use the u2f functionality. I have read enough about the u2f standard to trust it, but the other fluff on some keys I don’t trust enoug in to use on my accounts, and the basic u2f functionality works perfectly on Linux (I even use it for my Linux login) and basically everywhere

    I keep one on my keychain(it has an USBA port, but I keep a female a to male c converter on it as cap so I can use it on my phone), another that has password protection instead of a single button lives on a port on my desktop and the third I keep stored, it is more annoying to set up all of them on a new account, but I know I won’t loose access or have to recover my accounts if I loose my keychain.

    And for sites that don’t support u2f I use Aegis for TOTP which would also be my recommendation, that way if your KeePassXC database is compromised your second factor is safe, and you can also have automatic encrypted backups of your Aegis dB synchronised across devices so you don’t loose them

    And if you are going to be setting up keys on multiple sites don’t forget to update or generate your single use recovery codes and store the safely, preferably on paper not digitally.

    I personally print mine on regular printer paper on sections about the size of a library card and then I spread some UV curing resin until it soaks through, then I clean the excess and leave them on the sun for about 2 hours (most printer paper has optical brightener that makes the resin much slower to cure). I then cut the individual segments and store them on my safe

    It may be paranoid, but it’s extra work just when creating an account, and I started doing it after I permanently lost access to a trading account because of a lost key and a faded recovery code, thankfully it had no balance stored there at the time

  • Sarcasmo220@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    10 months ago

    When I did some research on hardware keys I was between Yubikey and Nitrokey. I ended up going with Yubikey because KeepassXC supported it.

    Something to keep in mind is purchasing a backup key. I bought one for my wife and we use each other’s as a backup.

    For KeepassXC it does not support registering multiple keys (at least not that I have figured out), so I have a copy of my database where it uses my wife’s key as a backup.

  • Extras@lemmy.today
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    10 months ago

    Yubikey is kinda the gold standard IMO. Yes, I know google has their own titan something ~but the other one I know that can rival yubikey in terms of support and longevity would be nitrokey.~ Else I recommend making a poor man’s security key using a keyfile and a flashdrive to secure your keepass database

    Edit: forgot about nitrokey’s overly sensational claims about a backdoor on Qualcomm chips a while back, that kinda stained my view on their company now. Just get a yubikey sure theres no firmware upgrades and whatnot but its good enough for now. Also heard good things about onlykeys