Yubikey and Onlykey

moonscape2 · January 31, 2025, 4:56pm

Hey guys!

I am looking to increase my physical security. Has anyone used the yubikey static password function or an onlykey for their pc or Mac login? Maybe even part of master password?

Love to hear your thoughts!

basenote · January 31, 2025, 4:57pm

I used to use it for Windows. Worked well. macOS takes a little more to configure and make it work.

moonscape2 · January 31, 2025, 5:01pm

Oh nice! I was just thinking oh having a salted long crazy password in onlykey or even yubikey. Maybe even for my phone if it allows peripherals like that.

basenote · January 31, 2025, 5:13pm

If you know what you’re doing, then fine. But that sounds unnecessary complications to me. But your threat model could vary.

moonscape2 · February 3, 2025, 3:26pm

Could you tell me why you find it unnecessarily complicated? I thought it would be quite nifty to have a long master password in your key and that is what unlocks your PWM. Or when you turn on your PC or Mac you use the key for a strong login password. Sometimes I find memory fleeting.

phnx · February 3, 2025, 3:31pm

Using a static password on a Yubikey is the functional equivalent of writing it on a sticky note on your montior.

moonscape2 · February 3, 2025, 3:34pm

I see. What are your thoughts about the onlykey that is protected behind a PIN of your choosing?

phnx · February 3, 2025, 3:37pm

No idea, I’m not familiar with their products. From my quick look at their website, they also autofill login credentials without authentication:

OnlyKey DUO - Dual USB-C and USB-A Security Key
No need to remember multiple passwords because by plugging OnlyKey to your computer, it automatically inputs your username and password. It works with Windows, Mac OS, Linux, or Chromebook, just press a button to login securely!

Any reason you wouldn’t want to use PIV smartcard functionality on the Yubikey?

moonscape2 · February 3, 2025, 3:43pm

I actually just watched the set-up video of that on their website! As someone who is new to a lot of this stuff, is that pretty secure?

phnx · February 3, 2025, 3:49pm

Yes, PIV is secure; it’s used (in some form) by the US government if that offers any assurance: FIPS 201 - Wikipedia.

Just read through the article I linked early thoroughly so you don’t accidentally lock yourself out. As long as you don’t set it to require a PIV and have the password stored somewhere for a worst-case scenario (like losing your Yubikey), you’ll be fine.

moonscape2 · February 3, 2025, 3:56pm

oh, jeez that would be bad