Hello everyone,
I am currently asking myself what to do about my online security.
I am using a password manager, and to connect to this one I am using an email, a password, and a physical security key (Yubikey), as I understand it’s using the technology named FIDO2.
But to use this, I don’t need a password on my Yubikey, I only need to plug it in and touch the button when the app is asking.
I recently discovered that the crypto wallet trezor can be used for FIDO2 authentication (resolving the challenge … as I understand it’s working like that). In addition to that, on the trezor safe 5 I see that you can add an SD card that’s required to be able to use the wallet (for crypto but for FIDO2 too), so it’s a layer of security in addition.
The problem is that this crypto wallet is used for “securing” my crypto, so I was wondering if it could be a good idea to use it anyway for my FIDO2 since this one required a sd card (if setting enabled) to be unlocked.
And because trezor doesn’t support nfc that means you need to plug in it to your phone to authenticate with FIDO, and ledger wallet seems to support this technology too, but those hardwares wallets don’t have the option to add a sd card as a second layer of security.
My questions are :
Do we agree that a crypto wallet (with a pin) is more secure than a Yubikey that doesn’t require a pin (for the FIDO2) ?
Do you recommend using your crypto wallet daily (at work, in public places) to authenticate on account, instead of Yubikey since it seems to be more secure ?
If you said yes to the previous question, is the feature of the sd card on trezor really necessary, or I could just use a ledger (that supports nfc, so it’s better for convenience to use it with mobile) ?
I hope I am on the right forum for those types of questions.
Considering Yubikey can also have a pin set, this seems irrelevant. Also the SD card just seems like another failure point for the security of your cryptowallet.
No, your crypto wallet is a high value asset that should be secured in location not publicly available. It is also more bulky than the Yubikey. I personally would stick with just the Yubikey.
I am only providing an opinion based on my knowledge which is not a high bar
A complex solution is almost never better than a simpler one.
Carrying a HDW on your person elevates your physical risk level.
HDW’s are consumer grade electronic devices that have more failure points than a YK.
Whats happens in the case where you decide or are forced to switch to a different HDW?
Is any part of this scheme dependent on the HDW seedphrase? What happens if it changes?
I don’t know excatly how it works but I would want to use it mainly for my password manager account, so in case of switch to an other hardware wallet I would just connect to my password manager and disable the hardware wallet for the FIDO2 2FA, and add the new wallet if supports it, or just switch back to the yubikey.
But based on the two answers I got I think I will set my wallet as a 2FA but I will leave the device at home, that will just be a backup of my yubikey.
I think I was wring, it’s not FIDO2, I don’t have anything in my yubikey after adding it to my password manager.
I am probably miss understanding something actually, because I set a password for the FIDO2 section but this one is not asked when I connect to my password manager, but for some website (that are using passkeys) it ask me for the pin, so I think it’s something else but I can’t figure it out.
