Hey. Why do you say so ? Why don’t you mention Nitrokey ? I am considering getting a security key to set-up a 2FA for my password manager.
I have the same question, they’re far from being the best option while being proprietary and blocking firmware upgrades.
It shouldn’t be this easy to open and get access to the internals, so tampering is a huge concern.
I would recommend an OnlyKey:
- Open source.
- Upgradable firmware.
- All your secrets are encrypted against a PIN that you need to physically input using the numpad.
- Has brute force protections.
1 Like
Thanks for your answer.
I don’t know if we should discuss this here but I have a few reservations about OnlyKey. Since when is it necessary to have this numpad ? Yubikey and Nitrokey don’t have this and it’s ok, isn’t it ? 2) the key is erased after 10 wrong attempts. This mean anyone could ruin my digital life (even stupid people or a kid grabbing it to play with it, or some stupid acquaintance). This is a high risk. Ofc I would have a backup key in another house but man, it makes me feel uneasy. 3) Their USB-C key is microscopic, I would like a larger one. But I can overcome this, especially since it is durable and waterproof (in opposition to Nitrokey).
Is this the only concern you found ?
Is it ? I mean, if we are speaking of such a high threat model (people wanting to tamper your key with expensive equipment etc), I don’t think disassembling a Yubikey or OnlyKey is that hard, don’t you think ?
It’s not necessary, it’s just used to encrypt the secrets using your PIN.
YubiKey doesn’t encrypt the secrets, at least as far as I know, would be happy to be proven wrong.
If anyone can just randomly access your security key and do whatever they want with it, it’s not great already, they might as well just break it. And of course, you should always have backups.
TOTP secrets aren’t encrypted.
Good luck tampering with YubiKey or OnlyKey at all, let alone leaving no signs of tampering. This is just a downside that is worth pointing out, if you care about it depends on your threat model.
As for equipment, I will leave it up to you to decide if $3000 in equipment is expensive or not.
what do you refer to with “the secrets” ? The TOTP seeds or the passkeys (I mean the passkeys stored on the security key, idk if they are called passkeys) too ?
thanks for pointing this out.
Yes I saw this too but I wondered if this hadn’t been resolved since then… Anyway, I don’t care, I won’t use it for TOTP.
Right, thanks. I think that I don’t care. If the FBI knocks on my door and takes my security key to do obscure nano precision robotics, then I would try to connect to my accounts with the backup key and delete the other security key. Or anyway, Idk if even care since I protect my password manager with a passphrase and they would also need the passphrase.
What do you think of SoloKeys ? They are FIDO certified and open-source.
Nitrokey are grifters (see NitroPhone pricing). That, combined with the lack of being tamper-evident, is enough reason for me to avoid them. Yes, upgradeable firmware + open source are massive advantages over YubiKeys, but that’s not enough for me. More importantly, YubiKeys are (as far as I know) the only keys to support CTAP 2.1, which allows the key itself to enforce the use of a FIDO2 PIN rather than the service.
Tampering resistance is one of the main selling points of a security key. You can get the same phishing resistance from passkeys stored in a password manager. A security key should make it impossible for the private key(s) to be extracted. There is a reason why “Must use high-quality, tamper-resistant hardware security modules” is a minimum requirement.
They also allow the private key(s) to be extracted with their backup feature. Not at all desirable in my opinion. OnlyKey User's Guide | Docs
It’s extremely frustrating that there doesn’t seem to be a single decent security key that meets what I would consider the absolute minimum requirements for my use case.
1 Like
Oh thanks, I did not know. It’s definitely not very expensive. I was more thinking of futuristic equipment capable of hacking Titan chips, possessed by entities like TSMC or the CIA, lol. But the equipment to break a security key might be much more affordable than ghe equipment to break a Titan chip.
Where did you find this price tag ?
Aren’t you exaggerating/misunderstanding the requirement? Does it really matter that the KEY is tamper resistant or is it just important that the HSM is tamper resistant ?
And btw Nitrokey lists which of their keys have a “tamper resistant smart card”. “The smart card protects against physical attacks and prevents retrieval of keys and encrypted data.”
“Your secret keys are stored in the tamper-resistant and PIN-protected device and are secured against computer viruses, other malware, phishing, loss, theft and brute-force attacks.” If you click read more : "High Security
The Nitrokey (some models) contain smart cards that store and protect cryptographic keys securely (Common Criteria EAL 6+ certified). All sensitive cryptographic operations (e.g. generation of secret keys) are securely computed in the Nitrokey. The tamper-resistant design prevents sophisticated physical attacks with laboratory equipment.
An additional administrator PIN enables hierarchical use cases and the import of existing keys and backup of keys are possible."
Honestly I am not an expert and I don’t understand half of all of this but I am gearing towards Nitrokey ATM.
Yeah you’re right it is tamper resistant, but being tamper-evident is also important to me and the Nitrokey is decidedly not that.
The lack of CTAP 2.1 is the biggest drawback imo.
1 Like
so im confused, is it ok to go with an up to date yubikey? This whole thing of “Yubikey bad” makes me nervous.
1 Like
Since this thread is about yubikey alternatives:
does anyone here have experience with google titan security keys (the “new” ones as in the ones released around the end of 2023)? I only need support for FIDO2 and 250 passkeys storage is more than enough for my needs since I only plan to protect a few accounts that are very important for me with it.
I wouldn’t say Yubikeys are bad as much as Yubico is bad. Ideally, they would offer open source firmware but more importantly firmware updates (the lack of which is my biggest gripe). Yubikeys support the most modern CTAP 2.1 standard so I would pick them for that reason alone.
1 Like
The NitroKey 3C NFC technical’s details say “Authentication standards: WebAuthentication (WebAuthn), CTAP2/FIDO2, CTAP1/FIDO U2F 1.2, HMAC-Based One-Time Password (RFC 4226), Time-Based One-Time Password (RFC 6238)”. I guess that this is not enough ? 2 .1 is different and better that CTAP2 ?
? Please