The key is here, and so are my first impressions.
Mind you, I have no idea what I’m talking about, these are my views, and I might very well be missing the point. Please feel free to let me know that…
I’m not going deep, just the basic “let me into my account” features I’m looking for at the moment. Bear with me, I’ve had it for a day.
(Yubi has it’s own bodyguard. You can never be too safe, right?)
As we talked about a few of things should be considered when thinking about a Yubikey. I’m not a high-value target (heck, not even a low-value one) so I don’t think people are coming after my stuff. Except for Instagram, where I get daily notifications of people trying to access my account and change the password!
Anyway, if a service provides 2FA, I’m using it. I think everyone should.
At the moment I’m using 1Password for this. I’m aware it’s not the safest way of going about it, but it’s certainly better than not having it enabled at all, and it is VERY handy.
My reasoning for this is: if my 1P is already compromised, I’m screwed anyway. The app, both macOS and iOS need a strong password to log in, and FaceID on the iOS one. If they manage to get there, I probably have a large gun pointed at me, and there are other things I should be worried about. Like “How did I get myself in a situation where a large gun is pointed at me and people want my OMG.LOL login credentials”??
For day to day use this is really neat. It does not slow me down, while keeping me secure. I’m the one holding the TOTP app, and that is always needed to log in. 1Password even inputs the codes for me, so I’m good, and lazy.
But the Yubikey looked so cool and geeky!
It has arrived, and I started poking around with it. First try, GitHub. One of the services that supports the “whole thing”! The “touch the key and you’re in” method. It’s great.
I wish I could use the WebAuthn method to log in to every single site, as that works brilliantly. The key will be plugged into the computer, or I’ll hold it to the back of the phone, and it just works. Like magic. Having this all over the web would be awesome.
However, not all (or even most) sites allow for this great feature, and they will use the same TOTP method as the regular authentication apps. Yubico provides it’s own Yubico Authenticator app (macOS and iOS versions), and the codes are stored on the key. It only has room for 32 of those, and that’s not a lot, maybe insufficient for some people.
And you’ll have to open the app, while holding the key to its back, and copy and paste them by hand, as you would do with Authy, or any of the other apps available. The big difference here is the place where the codes are stored. Not on the phone, but on the key. Without it, you’ll see the app empty, with no codes in there.
1Password clearly wins on the comfort side. Maybe not as safe, but maybe safe enough for most people. It’s safe enough for me.
But… Opening up the app, seeing it empty, and watching it all come to life when you plug the key in? Priceless! It adds that extra oomph. Oh, and security as well!
I added a few apps to the key, but I’m still keeping them in 1P as well, for now.
If everything works out ok, I’ll be able to delete them from that app, and just use the key and it’s own authenticator app, having them on both sides makes no sense, and I’m not more secure because of it. I’m just not sure yet if I’m willing to carry the key every day, and stop being lazy about this.