Remove Nitrokey from MFA section
I couldn’t believe PG is recommending a security key product that don’t even pass (FIDO certification)[FIDO® Certified - FIDO Alliance]. I also recommend add FIDO certification as minimal criteria for security keys.
MFA
Apple and Microsoft all enforces the FIDO certification. What’s the point of buying Nitrokey if we cannot use it for these cases? Open source does not mean security.
Nitrokey feels like a bad company ngl.
Did it not pass or was it never audited?
They were working on it in 2022 and still not finished it in 2024. I think they did not pass it.
Okay that’s an interesting signal then.
I mean if they never tried that’s a quite different story. Although I also tend to agree that we should recommend only certified keys.
On the other hand, with passkeys being stored basically wherever I wonder also how that will impact that. I mean will the FIDO alliance also decide if you can use a certain vault or not? It may not even be a bad thing, but interesting for sure.
According to a forum post from October 2023, the development efforts remain ongoing [1].
It appears that Nitrokey is encountering substantial difficulties in meeting the standards established by the FIDO Alliance. However, my understanding of the FIDO criteria is limited.
Notably, Solokeys, which utilizes the same Trussed API as Nitrokey, has achieved FIDO Alliance certification [2, 3].
I doubt there’s security issues in Nitrokey that prevent them from being certified. We should remove Nitrokey imo.
FYI, higher level certification means higher security. Google Titan, Feitian and Yubikey 5 before firmware 5.7 are level 1. Yubikey FIPS, Yubikey Security Key and Yubikey 5 after 5.7 are level 2.
FIPS yubikeys are actually worse than up to date regular yubikeys, the FIPS standard is not constantly up to date whereas yubico does go beyond with security on non-FIPS. One example is the size of keys stored by the key, the FIPS one has smaller key sizes for RSA? i think? than the regular key.
Source: literally heard this from a high up manager for Yubico’s asia and australia branch
Well FIPS is a separate certification, but yeah it’s more of a limit on what encryption standards are allowed, not really a higher standard. The FIPS series doesn’t support ed25519, that’s probably the main limit most would run into.
Where do you see this info about the non-FIPS Yubikey 5? That isn’t in the FIDO database (or Yubico’s own comparison chart).
Yubikey 5.7 Spec. They are working on 5.7 to pass L2. Sorry for my mistake to claim they have passed L2.
Also this post’s aim is mainly to remove Nitrokey.
So… coming soon, ok.
Yeah, I agree though, especially now that more governments/orgs are mandating certification. The hardware key section is due for a refresh anyways.
edit: I won’t mark as approved without hearing other opinions from team members or more community members, but I’ll submit a PR now anyways.
edit: see:
I think we should give time to Nitrokey to respond and give them opportunity to pass the Fido alliance certification.
Since this minimum requirement has just been added (with no such thing in 2 yrs) it would be fair to give them time to pass the certification (like maybe 30 days) before disqualifying them.
Their community forum is not actively monitored but as per inquiry in their matrix room , they have said they submitted answers to fido alliance and are waiting for fido alliances results which may not take too long.
About the usefulness of the key , i would say its quite competitive compared to the other keys in the market in terms of features also being completely open source at the same time.
I am not sure what “Microsoft Entra” is used for but nitrokey does seem to work with windows hello , and also for signing into your microsoft account.
i have not checked with Apple id , but it should work with it as well.
Also only nk3 works with keepassxc , apart from yubikey 5 which is also a good use case.
Note- not trying to shield nitrokey here but just listing some of its positive points .
It’s for enterprise SSO (used to be called Azure ActiveDirectory), so your workplace might use it for logging into internet/intranet apps for example.
The main reason I’m fine with it is that Nitrokey has always been kind of meh for a lot of people. I hear a lot of mixed reviews, and their business model has always basically been reselling products with minor modifications. I think we should just recommend SoloKey as an open-source FIDO2 key.
Solokey is just one key i think, its mostly a backup kind of a ptoduct.
While I generally concur with your perspective, it is important to note that Nitrokey has been asserting for nearly two years that certification by the FIDO Alliance would be achieved “in a couple of months.” I also harbor doubts regarding whether Nitrokey would offer an honest and transparent response if PG were to contact them for a statement on this matter.
We should also consider the possibility that superior alternatives may currently exist. Should Nitrokey release an update in the future, there would be no impediment to PG recommending it once again.