Lost another hardware key, should I just give up on them?

Questions
1

So, I lost another hardware key since discussing it not even two weeks ago.

From that chat, the main value of having a hardware key is that they are in theory supposed to only be connected to a single device, which makes them less accessible across services but I constantly lose them or at the very least just forget to bring them along which is a pain, plus, they aren’t cheap and I get it…for good reason. I’ve always known this would be an issue, so I always buy extras and then go through the work of registering them across all the stuff I did with the old key.

Given the inherent issue that tends to pop up with me and likely many other humans with “keeping track of small items” issues, what would you all recommend?

My setup:

I’ve used hardware keys as both 2FA and to lock my KeepassXC which is replicated with my vault in cloud storage. I really like Aegis TOTP so in theory, I don’t mind reverting back to an authenticator app for 2FA. My real reason that I liked the hardware key was kind the master password that couldn’t be as easily leaked or replicated…but it’s strength is also it’s weakness for users like me.

If I remove the hardware key an attacker got access to my vault and my master password, they could crack it open with their local KeepassXC, Aegis, etc…

The support for biometrics in KeePassXC has been merged and will be available in 2.8.0 which could provide some other layer of protection to the vault itself, but some suggest that biometrics aren’t necessarily trustworthy.

I’m pretty good at keeping my phone with me, I think the primary issue is that the key is small. Here’s a few thoughts I’ve had:

  1. Connect my key to my phone
  2. Biometrics + Passkey to replace hardware key
  3. 2 USB + Passkey and I really really promise to not copy it more than once. If I lose the usb, I have the backup to unlock stuff and update the password and buy new usb to hold the key.
  4. Programmable microchip in my skin + Passkey for extra dystopian vibes

Any other ideas or which of these seem least risky? Maybe someone has a “5 security key alternatives that Yubico doesn’t want you to know about”?

I want to assume a higher threat model to be in practice rather than having to learn as I go. Also, if I ever wanted to enter into hacktivism/journalistic side of things, or were to advise someone in this realm, then I would be well practiced if the situation becomes apparent that I need to operate at that higher model. Plus I find it strangely fun.

2

Don’t hang the key on your door.

Just use a big key chain charm. Or a bracelet/necklace, it will always be on you.

3

I don’t typically bring my personal one around but, the one I use for work I keep on a keychain with my house/car keys as I am highly unlikely to forget that.

2 Likes
4

Are you losing track of the Yubikey nano or a full-sized model?

5

I did try a bracelet, but have to take it off when washing my hands. I want to emphasize how easily I space out when handling my things. I’ve lost phones, wallets and other stuff though I’ve gotten a bit better with those over years of practice. I tend to take stuff off without thinking about it, showering, changing at a pool party, for instance I’ll also be traveling soon, and this commonly involves removing these keys. Also, removing it to use it in my computer I may forget to put it back on and leave it wherever I was.

This is when I start to think about the skin implant a bunch…waterproof and can’t take it off.

6

I don’t drive often, and when I do, we have a key hanger as soon as I walk in the door and I have developed this habit to put the keys there before I take off my shoes or anything. Unfortunately, I need my hardware key all the time even when I’m at home, and use it at the library etc…

7

Yubikey full-sized 5c NFC

8

This might not be super helpful advice but what it sounds like, to me, is you need to focus on creating a new habit.

I recommend just having a key for home and for travel and start forcing yourself to never not have the travel one on you. Maybe put a note by the door reminding you to check if you have it.

1 Like
9

But the key is water resistant though? You don’t need to take it off.

Get a bracelet with a springy string so you can use it without removing. And an USB hub for desktop.

1 Like
10

Yeah, that’s kind of what this has been doing so far and I’ve just lost $200 worth of keys while building the habit lol. I guess maybe continue doing this but initially with a USB so the habit building isn’t so expensive?

Once a sticky note is placed somewhere to remind me of something, it blends into the scenery and I’ll never read it.

11

huh…well I’ll be…

IP68 rated, crush resistant, no batteries required, no moving parts

IP Code Wikipedia says

6 - Dust-tight - No ingress of dust; complete protection against contact (dust-tight). A vacuum must be applied. Test duration of up to 8 hours based on airflow.
8 - Immersion, 1 meter (3 ft 3 in) or more depth - The equipment is suitable for continuous immersion in water under conditions which the manufacturer shall specify. However, with certain types of equipment, it can mean that water can enter but only so that it produces no harmful effects. The test depth and duration are expected to be greater than the requirements for IPx7, and other environmental effects may be added, such as temperature cycling before immersion. Depth specified by the manufacturer, generally up to 3 meters (9.8 ft)

I had no clue about this…I may try the necklace/bracelet thing.

Have you actually tested this? Wash hands/dishes/repeatedly shower with/swim (in the ocean)? etc… and then dry it off and use it?

12

No, but I have wash my phone with soap that have worse rating before.

Also the key have minimal PoF, since yours is USB-C, just dry it the port specifically when you dry your hand.

Also check my edited post regarding the bracelet.

1 Like
13

id still be a bit concerned about accidentally plugging in a wet yubikey to my non water resistant computer

1 Like
14

I am literally about to go to the ocean a bunch this summer…maybe this will be the test :slight_smile:

15

Yeah, this is a bit concerning…I wonder if there’s a way to waterproof cover the yubikey to avoid it getting wet as much as possible but not freak out if it does get wet.

16

image
image794×1059 79.9 KB

Not saying to use an Apple tag, but this isn’t a bad idea I just found on etsy after searching yubikey waterproof wristbands.

1 Like
17

Eh. Long term exposure to salt water is not a great idea actually. I recommend not doing that.

1 Like
18

Yeah, didn’t think it would be. Although, I do think that adding another case around it would be the way to keep it on me at all times and avoid the wet usb in computer issue. Maybe also coupling that with an airtag like setup.

I feel like this is a small side business plan forming.

19

17424151733418334603752106024733
17424151733418334603752106024733998×1000 78 KB

I found this online.

20

Yeah, I actually have these already just because I used to get lint in the usb port having it in a pocket. I don’t think this would keep the salt water out though…and would it keep water out enough to avoid any liquid from possibly entering the computer?

I unmarked the solution for now since we hit the ocean usecase.

Perhaps then, it’s the combination of these.

Wearable + extender to keep it on my 99% of the time
Water cover (to avoid usb port getting wet or debris)
Cheap GPS Tracker (for the few times I do have to take it off like going for a plunge in the ocean or other rough environments)