I’d like to know how you use your security keys (Yubikey) and if you use other methods for double authentication in addition to this one.
Do you only use them at home, do you always take them with you when you go out, do you really use them in case of emergency?
I’d also like to know whether you use double authentication in addition to your keys, and whether you prefer to use an app like Aegis or Yubico Authentificator to “centralize” everything.
I’ve heard that having a key + TOTP isn’t much use and that only the key is enough.
I’ve only been using a hardware security key for about a year.
I use it only for a small number of my most important accounts. The rest of my 2fa is TOTP stored in my password manager. This is the best balance between security and convenience I have found so far.
1 key stays with me, another stays in a fixed location.
I’ve heard that having a key + TOTP isn’t much use and that only the key is enough.
I’m not sure this is correct.
There are tradeoffs to consider, but my understanding is that the main value a hardware key provides is that it is “phishing resistant.” Even if you have TOTP setup in addition to your hardware key, you still benefit from the phishing resistance as long as you are using the hardware key, not the TOTP to authenticate.
There are probably some areas where you are sacrificing a bit of security by keeping TOTP as a backup. (for instance, a hardware key can’t be copied or modified) software solutions like TOTP would have more attack surface. But in the picture, it is about finding the right balance between (1) security (2 )resilience/redundancy (2) convenience
I always have totp configured as a backup method, but I don’t use it in addition to my security keys.
Generally I use them wherever it’s possible to do so. Sometimes I use them for SSH, and I configured my desktop to allow me to use Yubikey + PIN to unblock LUKS encryption instead of my passphrase.
I keep one in my laptop(nano yubikey) and the others stay at home. I’m supposed to have one backup off-site but haven’t placed it yet…
I also have a pair for work, so I can sign into some things with just the key, and I also use Yubico Authenticator for some accounts.
Thanks for your feedback, I’ve been racking my brain for a few days now, trying to figure out how best to use my security keys, but I can’t figure out what would be the most secure in the worst-case scenario.
At first I thought of switching all my TOTP codes to my keys with Yubico Authenticator but unfortunately the app isn’t “secure enough” in my opinion (once the key is plugged in all the codes are displayed).
I’ve also thought about keeping one on me at all times, which I’ll use only to access Bitwarden, and the second which I’ll keep at home to access all the other accounts (Bitwarden, Proton, Tuta etc.).