Hi
I am considering purchasing YubiKey. Should I purchase it?
Any recommendations?
As I know, they are closed source (I mean key itself)…
I like it for MFA and using the same simple password with a rotating key. It’s also valuable if you frequent public places and physical security is a concern. I also use it for ssh keys for logging into machines.
Make sure to have a spare key.
Do you have any specific use case in mind? They have different product lines depending on what features you want and/or need.
Having a backup key is an absolute must as @bitsondatadev said. Ideally you should not ever keep the two in the same place.
Everyone who can afford security keys should have them. It offers more secure and more convenient MFA.
A lot of people recommend getting a spare key, but I’d go further and take inspiration from the 3-2-1 backup rule. Ideally you should have at least two separate “backups” of MFA secrets on different devices, plus a third backup that you store off-site in another location. The easiest (but most expensive) way to do this is to buy 3 keys.
However, you might be able to get away with even just one key. If you’re using it for MFA, you can still store TOTP secrets on a VeraCrypt encrypted flash drive or SD card which can be used as the secondary and/or tertiary backup. You can also set up passkeys on other devices such as compatible smartphones and laptops. Just keep in mind some services might be weird and try to deny you redundancy when using a passkey, in which case you should stick to TOTP.
The YubiKey hardware and firmware is all proprietary, but I believe their apps are open source. There isn’t a truly open source alternative but Nitrokey is the next best thing. I believe most of the firmware is open source but as with nearly all computers, the hardware and some of is firmware is likely proprietary. My main issue with Nitrokey is that TOTP/HOTP secrets are not encrypted according to PrivacyGuides. Unless you expect someone to swipe your key and hack into it, it’s unlikely to be an issue. But for that reason, YubiKey will offer better security if you use TOTP/HOTP.
1 Like
Personally, I wouldn’t buy it because password manager currently supports the majority of it.
In fact I need to secure my email. As it is super critical for me. And alias provider.
Do you think two will be enough?
You mean seed, right? Because one time codes cannot be stored in that way.
Two is more than enough.
Yes, everywhere you set up MFA you’ll likely have the option to have TOTP support which you could use for cheap backups rather than buying multiple keys.
The more backups the better. Having two keys plus additional cheap backups is probably the sweet spot.
1 Like
Proprietary and blocks the ability to update firmware.
I would recommend getting an OnlyKey if it fits your needs:
- Open source.
- Has upgradable firmware.
- Has a physical numpad to protect your secrets with a PIN.
1 Like
Hey. What do you think of Nitrokey (outside of their drama with GrapheneOS which I am not even interested in) ? I am considering getting a security key to set-up a 2FA for my password manager. I ask you about technical aspects, not about price or shipping. Cheers
when are they blocking the ability to update firmware?
Pretty sure you can update the Yubikey firmware.
And anywho yubikey is generally being recommended here so I wouldnt go against it.
Edit: it seems it is true. However historically yubikey replaces your key if a vulnerability is discovered And I understand their reasoning to not allow the firmware to be accessible as long as they can still mitigate vulnerabilities in other ways.
I don’t remember them ever having upgradable firmware.
Just because something is or isn’t recommended by PG doesn’t make it good or bad.
They aren’t obligated to, so it’s up to them if they will replace it or not. It’s also a lot more inconvenient to get the new ones from Yubico and then register them on all of your accounts while deregistering the old ones instead of just upgrading the firmware.
They’re definitely not going to replace your key if the newer firmware has a new feature that you would want or even need, so you will have to open your wallet and give Yubico some more money.
1 Like
Wtf, how come this is the first I’m hearing of this!?!?
Why isnt onlykey recommended?
They didn’t in response to EUCLEAK - YubiKey 5 can be cloned in a matter of minutes. Everyone who owns an older Yubikey is just SOL.
Looks like OnlyKeys security flaws is it enables backups which I agree is an odd feature but not a deal breaker for my TM.
Anything else concerning from a security or UX standpoint?
I would point out that because I/we stopped looking at OnlyKey because of this issue, there may be additional problems that we just did not uncover or discuss. I can’t really say either way whether there are additional concerns on our end 
1 Like
At this point if I was willing to test out Solo vs Only which would ypu choose?
It seems we got further with the solokey and their new line has FIDO 2 support: Solo 2C+ NFC Security Key (Built with Trussed®) – SoloKeys | Built with Trussed®
I only see their original Solo products (the Solo, Solo Tap, and the even older Somu) listed here: FIDO® Certified - FIDO Alliance (search Company: SoloKeys)
I don’t like this a lot because I think they are being misleading in using the Fido Certified badge. The Solo 2 is basically entirely different from the original product, so why would their original certification apply to it? 
These problems I consistently encounter with various hardware security keys is a big reason I kind of think Yubico are the only ones taking it seriously.
Damn that is unfortunate because I want to vote with my dollars for the open code but not if it’s missing critical modern features.
I’ve been using the YubiKey for almost a year now and wish I started using it sooner. It’s made my 2FA life so much easier. I do plan on migrating to Nitrokey in the near future as I value and would prefer to support the open source model, after some research still unsure if the upgradeable firmware is an added bonus.
I’d add that a nice privacy benefit I’ve found with having a hard key versus SMS-2FA is the ability to create accounts that require 2FA when signing up without having to provide my phone number. I had to create a GMail account (don’t use Google for anything otherwise) for an online class for example and Google insisted on a phone number at sign up likely due to my VPN connection but I was able to circumvent that with the 2FA app.