I understand the benefits of passkeys and such, but one of my main threat is physical access to my devices.
For ex, i know that if my locked phone is taken - noone can access it without forcing me to unlock it.
However with one look at those yubikeys it seems that whoever takes my key can access any of my accounts as there seem to be no pin or anything.
am i mistaken? what are the protections embedded into those keys to address the physical stealing of it?
A safe can do wonders for your Yubikey at home.
But assuming that you are bringing it outside, an thief is not likely to infer your identity from a lost/stolen Yubikey. They won’t be able to access your accounts unless they somehow obtain your password as well. Remember that it is the second step of 2FA, not the only step.
What’s the alternative anyways? Your phone which also can be stolen?
Yubikeys support PIN codes that you enter before it will allow you to authenticate with it: Understanding Yubikey PINs
One thing to note about them is they don’t always get prompted properly in my experience, but I believe that’s a website issue, not a Yubikey PIN issue.
Attackers would still need access to your account information and passwords that you are hopefully storing in a protected Password Manager, Yubikeys are a second factor for your accounts, not a passkey replacement.
a pin, or at least biometrics (which is worse). I’m not afraid of my phone being stolen because of that. the only thing a thief can do is factory reset it, deleting all my data
I heard passkeys are positioning themselves to be password replacement, not just 2fa. and yubikey supports passkeys
now that’s nice to hear, thank you
overall because of everything said, it feels like having OTP in an authenticator app on a properly protected phone is more secure than 2fa with yubikeys. Though i really don’t like the concept of OTP as theoretically bruteforceable
That’s totally dependent upon your threat model, for most people, a physical security key is better than using an OTP app, but if having your physical security compromised is a bigger threat for you than your OTP entries being compromised, you may want to consider something completely different, a properly secured phone is only as useful as a 5$ wrench.
yes, but this helps a lot Features overview | GrapheneOS
so i’m honestly not convinced in yubikeys, if major concern is physical access. having on-device pin is mandatory, having a duress pin would also be very nice
At this point it’s all threat modeling, no one here can tell you what’s best for your situation, if you don’t think physical security keys will work with your threat model, then don’t use them.
that’s exactly why i asked the original question - i’m trying to figure out.
it just feels like i’m still not quite getting the benefits of working with these keys…