Hey everyone, I’m thinking about getting a set of security keys mostly to play with as I think it might be a little outside my threat profile, but now I’m stuck deciding between the Yubico Security Key and the Yubikey 5 Series. I know this site recommends most users just go for the cheaper option (and since you’re buying two, it is something to consider) but thinking about services that don’t support key based authentication, is it worth upgrading to the 5 series to use yubico authenticator?
More generally, does the average person even really need hardware keys?
Absolutely not. If you’re pretty sure your threat model does not warrant it, I don’t recommend spending your money on them. They are more for other reasons where security is paramount.
But since you’re asking, why do you think you need them?
I would also add the option of using a hardware wallet as a security key.
For example a Trezor Safe 3 cost only around 79$, but supports U2F, FIDO2, many crypto currencies, has a display and because of the seed backup you only need one.
Note: U2F is directly derived from the seed, but FIDO2 needs to be backed up to a file, but the file is encrypted with the seed.
I was disappointed after I got my first security key (Yubikey) that very few services actually support it where the security key is the only authentication method. In most cases (e.g. Proton), TOTP will still be required as a backup, which defeats the original purpose of getting one.
I would hold off on it until passkeys truly catch on.
Does it though? While the need to register an additional 2FA method isn’t optimal, you are still protected from threats, such as phishing each time you use your security key to log in. That wouldn’t be the case if you only used TOTP or anything else that doesn’t have phishing resistance built-in.