Ask HN: Alternatives to Yubikey?

157 pointseekthecat8y ago86 comments

I haven't had a good experiencing with Yubikey's support and sales team and I'm looking for an alternative.

What other keys are people actively using?

I'm interested in something with equivalent features to the Yubikey 4 (NFC not required, U2F mandatory).

86 comments

j_s8y ago

This came up last week on the OpenPGP discussion; here's a re-post -- no one else has mentioned the sc4-hsm yet. https://news.ycombinator.com/item?id=14495213

Open source (-ish?) Yubikey alternatives

https://sc4.us/hsm/ $75 | https://news.ycombinator.com/item?id=12053181

https://trezor.io/ $99 | https://news.ycombinator.com/item?id=10795087 (not much on HN)

https://www.floss-shop.de/en/security-privacy/smartcards/13/... €16.40 (OpenPGP Smart Card v2.1; 4096-bit keys)

https://www.fidesmo.com/fidesmo/about/privacy-card/ €15 (NFC only; recommended by the terminated SIGILANCE OpenPGP Smart Card project; 2048-bit keys)

noja8y ago

Fixed link: https://www.floss-shop.de/en/security-privacy/smartcards/13/...

MichaelGG8y ago

It's a bit offputting that the SC4 calls itself a "hardware-secure module" which seems to be a unique term (vs hardware security module).

tptacek8y ago

It's worth considering: almost nobody who uses Yubikeys loves them, but they are by a wide margin the tokens experts recommend most.

dkhenry8y ago

I use my yubikey and I love it. I have it set up to do GPG, SSH, TOTP, and U2F and it works great. It is worlds better then any other Smart Card or second factor out there, and U2F is literally just plug it in and tap it.

rst8y ago

Have you got a writeup of the ssh setup methodology you used?

(I've tried scouting around, but not found anything clear yet. Someone's done native support in ssh, but the patch set is hung up on licensing issues and technical quibbles[1], and some of the PAM-based setups seem to require cut-and-paste of crypto strings on every login.)

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2319

1 more reply

tptacek8y ago

The U2F bit is a dream, yes. The rest of it not so much.

1 more reply

atmosx8y ago

Is there any sort of backup in case it gets destroyed or lost? Can you clone it?

2 more replies

api8y ago

The problem is largely with their docs, or lack thereof. Just figuring out how to use one as a token for ssh is incredibly painful. The docs are very "enterprise," meaning half-done, overly complicated, confusing, scattered, etc.

tptacek8y ago

It is extraordinarily annoying to set up a Y4 for SSH. We use gpg-agent in ssh-agent compat mode.

1 more reply

drdaeman8y ago

There was a series of changes, e.g. regarding platform keys, software source availability etc etc. I think there were some "I don't endorse this anymore" posts, although I don't really remember the details.

tptacek8y ago

I've read "I don't endorse this" from open source advocates, but none from crypto engineers.

cafogleman8y ago

I recommend the OnlyKey: https://www.amazon.com/OnlyKey-Color-Password-Manager-Obsole...

The device uses strong encryption (where legal), and goes beyond U2F to include password management, certificate storage, OTP/Google Auth, and plausible deniability. The hardware is teensy-based, and the firmware is open source. The devs have released fairly regular updates, and even encourage hacking on it to meet custom needs.

ams61108y ago

Given Amazon's problems with counterfeit items, I'm not sure I'd buy something like that from them.

funkaster8y ago

Thanks! I didn't know about the OnlyKey, being a Teensy fan and looking for a yubikey alternative, this looks really good. I already ordered one :)

prohor8y ago

I love the feature they keep passwords in fact on the device itself, not as a key to enable password manager. I was looking for something like that. If only they offered strong encryption for Europe!

voidz8y ago

Does not ship to the Netherlands... Meh!

cafogleman8y ago

They have an international version that does not ship with encryption of the data stored on the device, to deal with the various laws around encryption in other countries. However, there's no hardware difference, and since it's all open-source, there's nothing stopping you from loading the "US" firmware on the "International" version.

More info at their site: https://crp.to/

2 more replies

j_s8y ago

You can buy the international edition with PayPal and re-flash it.

https://crp.to/p/

I am interested to find out more info on the tamper-resistance of the hardware.

wslh8y ago

Trezor? https://blog.trezor.io/secure-two-factor-authentication-with...

It is also hackable: https://doc.satoshilabs.com/trezor-tech/resources.html

anonova8y ago

Another hardware wallet that supports FIDO/U2F is the Ledger Nano S: https://www.ledgerwallet.com/products/ledger-nano-s

The downside of this and the Trezor is that you need a cable to connect it to a device.

captainmuon8y ago

While we're at it, is there one that:

- Lets me store certificates and PGP keys

- Has two factor authentication (U2F)

- Has open hard and software (source-available)

Basically, a USB pen drive that allows U2F, and is can be made read only (either by a switch or only writable over a special interface). I don't really need tamper-resistance, pre-generated keys, smart cards or any other advanced features.

epistasis8y ago

The difficulty with PGP keys, is that the most common implementation, GPG, wants complete control of the device and does not let it be shared so that other interfaces, like PKCS# can be used. So if you want something for both GPG and other purposes, it really needs to present as two separate devices, or you need to go hacking a branch of GPG. When I looked into doing this, it seemed that upstream would not be interested in interoperation with other smart card standards, so it may not get accepted into upstream.

At least that was my experience. If somedbody can correct me, I'd be incredibly grateful.

roman_zeyde8y ago

I can suggest using TREZOR and Ledger Nano S hardware devices for common GnuPG operations, e.g. signatures and decryption.

Please take a look at https://github.com/romanz/trezor-agent/blob/master/README-GP... for more details.

Disclosure: I am the main developer of this project.

captainmuon8y ago

Huh, interesting. I didn't even know GPG could handle devices as such. I was just looking for a device that holds my key files (like for email, ssh, ...). Would of course be great if you could hand the device some plaintext and it would encrypt it without the key leaving it, but I didn't even think about that to be honest. But it makes sense :-).

Nexxxeh8y ago

Boot time and physical size might prove to make it unwieldy, but could you use a Pi Zero in a gadget mode with OTG?

You can have it emulate USB HID, so presumably U2F would be workable, and it'll do USB Mass Storage too.

Open hardware and software.

drdaeman8y ago

Unless you install some TPM module, RPi itself has no tamper-resistant storage and has DFU (so, basically plug it into a wrong device and it'll be able to run arbitrary code, pulling all secrets).

An FST-01 is a somewhat better choice, but Gnuk doesn't implement U2F. If someone has enough time and knowledge I don't see why it won't be possible to add it, though.

1 more reply

dsl8y ago

NitroKey (https://www.nitrokey.com/) is the non-crappy version of YubiKey.

dchest8y ago

I have two of their U2F and if the OP's problem is sales and support, I'm not really sure Nitrokey are without issues as well:

1) Ordered 2, received 1. Thankfully, support quickly sent the second one once I wrote to them.

2) Now they only work when I plug something else to another port to my Mac (no such problem with Yubikey). No reply since April 29: https://support.nitrokey.com/t/nitrokey-u2f-issues-in-macos-...

Edit: I now noticed they have a different U2F version — the previous one was a card that you fold to make it into a USB dongle.

jans238y ago

Feedback from Nitrokey (I'm working with them):

1) We are changing our warehouse process, adding a technical QA step, so that such mistakes won't happen anymore. Sorry for the trouble.

2) As you noticed, the former U2F is going to be replaced by a new FIDO U2F device which contains a full USB plug for better reliability, is more durable and has a touch button.

1 more reply

tmikaeld8y ago

+ It is (fully) open source

- Doesn't support U2F (yet)

- Supports only one password manager [1]

- Recommends using their own password manager (That has a limit of 16 passwords)

[1] https://www.nitrokey.com/documentation/applications#a:passwo...

travisby8y ago

Unfortunately it's not _fully_ open source. They don't say it anywhere on their webpage, but they use an [OpenPGP Smart Card](https://www.g10code.com/p-card.html) internally, where some of the implementation by ZeitControl isn't open source. g10 has a reference implementation that is fully open source, but there's some additional (timing?) attacks that Zeitcontrol has implemented and cannot release.

Note the NitroKey start is a gnuk implementation and is fully open source. The tamper-resistant models are using the BasicCard with Zeitcontrol software.

kps8y ago

According to that page, the only variant that does U2F does nothing but U2F.

noja8y ago

yeah what is with that? I want all the boxes ticked!

tokenizerrr8y ago

What is non-crappy about it compared to the YubiKey?

graystevens8y ago

Here are a list that someone has collated - http://www.dongleauth.info/dongles/

The alternative to Yubikey that I am aware of is NitroKey, but can't say I am aware of how they match up, feature for feature

lisper8y ago

https://sc4.us/hsm

It's fully open-source, but the only standard application currently supported is U2F.

Disclosure: this is my product.

chaz68y ago

FYI your website is blocked by my work proxy:-

Access Denied (content_filter_denied)

Your request was denied because of its content categorization: "Placeholders"

lisper8y ago

Very sorry about that, but I have no idea what I can do about it. The page is not a placeholder. It's a very generic Bootstrap page with real content.

debatem18y ago

I've given up on yubikey at this point. I love the form factor, but it was easier in the end to build a different second factor infrastructure than it was to deal with the company.

I've been toying with the idea of building an open source replacement and fabbing it with a shuttle service but ultimately the cost is really too high to justify.

2bluesc8y ago

What was you issue with support?

I've had 2 Yubikeys replaced at their cost after published security exploits highlighted shortcomings. Also haven't had one fail on me yet. Would be curious to learn what your experience was.

eekthecatOP8y ago

They are unresponsive for really simple questions (email/Twitter). Their local reseller is not interested in non-business sales.

thehigherlife8y ago

What are you hoping to do with yubikey / what was your question?

rbjorklin8y ago

The DIY open source alternative: https://u2fzero.com/

AdmiralAsshat8y ago

Is...that...safe?

I'm all for the a DIY solution, but considering how much of a pickle I'd be in if all of my 2FA tokens were inaccessible, wouldn't the average person want some kind of case or shielding around the exposed board?

Give me an enclosure like Samsung's metal flash drives[0], and then I'd be sold.

[0]https://www.amazon.com/Samsung-METAL-Flash-MUF-32BA-AM/dp/B0...

rbjorklin8y ago

The Github page has this to say: "The token should be durable enough to survive on a key chain for years, even after going through the wash." [0] I'd guess covering it all with hot glue would provide sufficient protection.

[0] https://github.com/conorpp/u2f-zero/

1 more reply

cmurf8y ago

Those Samsung flash drives are nice, I have several. ~22MB/s write, and ~130MB/s read.

chipz8y ago

Slightly out of topic, is it possible to create one with similar function to yubikey with USB flash drive?

chx8y ago

For me, the ideal solution would be a cross platform password manager software which stores your encrypted vault ... somewhere -- I hate the "cloud" word but let's use it -- and then has a small display which the password manager on your phone can read and decrypt the vault with it. It's just a few hundred (thousand at most) bits that you need to carry across, not a big deal. For desktop / laptop / charging, it needs to be USB pluggable. Physical form factor approximately like https://www.adafruit.com/product/2690 this or http://www.ebay.com/itm/Mini-4GB-LCD-Screen-Display-MP3-Musi... this.

The problem currently is a) most sites want passwords b) I do not want to mess with cables c) NFC is not ubiquitous.

erik9988y ago

Not exactly Yubikey but USB Armory has some close features:

https://www.crowdsupply.com/inverse-path/usb-armory

The following example security application ideas illustrate the flexibility of the USB Armory concept:

    mass storage device with advanced features such as automatic encryption, virus scanning, host authentication and data self-destruct
    OpenSSH client and agent for untrusted hosts (e.g Internet kiosks)
    router for end-to-end VPN tunnelling
    Tor bridge [see this, for example]
    password manager with integrated web server
    electronic wallet [the Electrum Bitcoin wallet works out of the box on the USB Armory. It has been tested with X11 forwarding from Linux as well as Windows hosts.]
    authentication token
    portable penetration testing platform
    low level USB security testing

lazylester8y ago

I too had poor experience with support and also weak documentation, but I pushed through it and I'm very happy with the product now that it's integrated with my app. They seem to practically 'own' the space and I have some confidence in the longevity of the product.

scott008y ago

The Feitian ePass: https://www.amazon.com/Feitian-ePass-NFC-FIDO-Security/dp/B0...

Can't vouch for it (either product or support), but it exists.

sirsuki8y ago

http://www.sqrl.pl/ https://www.grc.com/sqrl/sqrl.htm

weinzierl8y ago

Nitrokey (formerly CryptoStick)

https://www.nitrokey.com

AFAIK they are used at Mozilla. The Firmware is Open Source. Downside is that not all their dongles support U2F.

drdaeman8y ago

Actually, none does: https://www.nitrokey.com/#comparison

The only dongle to support U2F is currently only available for pre-order, with ETA in autumn 2017.

kdmoyers8y ago

There's also this thing https://www.protectimus.com/protectimus-slim-mini A little different because it does not plug in, but very convenient. It seems like the usb key solutions are likely to get left plugged into the port, and so get stolen along with the laptop. The protectimus idea is to keep the key on you at all times.

markgamache18y ago

Sounds like an opportunity for someone to make consulting money. I have found their docs lacking, but never tried support. Once I muddled through and figured out what I needed, I have been very happy.

That said, I have looked for alternatives and found none.

I am most disappointed in the mediocre coverage of their RDP drivers. I need to use all the features over RDP. Some work and some don't.

bockafer8y ago

Perhaps?

* Do not allow smart card redirection Group Policy object

makmanalp8y ago

Can some folks also speak to the audit consensus on some of these? It seems with many of the newer / open source solutions, few of the end products actually got audited by a competent external security firm / researcher, right?

prohor8y ago

I just wonder - if the same key is used for enabling password manager and 2FA ... is it still 2FA? I mean, having the token you get both access to password and second factor to a service.

cmurf8y ago

I'm annoyed that Lastpass still doesn't support U2F, and I don't really understand the delay at this point.

eekthecatOP8y ago

Their official response is "because not all browsers support it".

It could be a valid business decision (I.e. uneven browser support will confuse our users and increase costs) but I think they are just using that as a delay tactic.

jvagner8y ago

Out of curiosity... is Google Authenticator dead? The iOS app hasn't been updated in quite a while (Feb 22, 2016).

Navarr8y ago

Does it need an update?

rthille8y ago

I'd love to be able to select the background color of entries and edit the text at the top of the entry, rather than just the bottom.

1 more reply

bockafer8y ago

I've had good experiences with Yubikeys thus far. I still have two of the Symantec VIP tokens from years ago that I've never had issues with. I recently bought a Neo to test out NFC (NFC support on the HTC 10 seems deplorable for smart card reading btw). I also purchased a few 4c tokens and so far they've worked great although I haven't been using them for very long.

The gotchas I've encountered while using them on OSX:

  - The pins for PIV and OpenPGP are separate as these are separate modules on the card.
  - You can't use the PIV or NEO GUI managers and gpg at the same time. You might have to unplug and plug the token
    back in when switching back and forth between GUI/cmdline Yubico tools and gpg.
  - Forgetting to change my environment to use gpg-agent instead of ssh-agent.
  - Typing in my local password instead of the PIV pin when logging into OSX while I have a token with PIV enabled
    plugged in.

The "setup" instructions that are referenced in the packaging and on parts of the site are for basic use of OTP. Real documentation is here: https://www.yubico.com/support/knowledge-base/categories/gui...

For people asking about backing up material on OpenPGP modules: these are write only. Generate your material locally with gpg instead of generating them on the smart card itself and use the keytocard command to copy the keys to the card. You can backup your keyring prior to moving keys and restore it before copying keys to each card or ctrl c out of gpg without saving the keyring references for the material that was moved to the smart card.

I used bits and pieces from a few guides to get the setup I wanted as this was my first experience with smart cards and advanced use of pgp:

https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubike...

https://rnorth.org/gpg-and-ssh-with-yubikey-for-mac

http://suva.sh/posts/gpg-ssh-smartcard-yubikey-keybase/

https://www.jfry.me/articles/2015/gpg-smartcard/

https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-gui...

https://alexcabal.com/creating-the-perfect-gpg-keypair/

Overview of my process (on an air gapped machine):

  - Configure gpg.conf.
  - Generate master, subkey, and revocation material on an encrypted USB drive for offline backup of materia
    along with revocation certificates.
  - Backup original .gnupg directory to another folder on the encrypted USB drive. 
  - Copy .gnupg directory to second encrypted USB drive for offsite backup.
  - For each smart card I wanted the same material on:
  -- Change default user and admin pins.
  -- keytocard subkeys for (S)ign, (E)ncrypt, (A)uthenticate (without saving keyring).
  -- Require local touch for all material ( Yubico specific: https://developers.yubico.com/PGP/Card_edit.html ).
  -- move on to next card.
  -- save keyring after running keytocard on the last card so the subkey material no longer exists in the local keyring, only
     references to it (this might not be necessary, I need to test).
  - Generate a copy of the keyring without master key to use on daily machine(s). Might also only need to have the master 
    material minus the key in the keyring as noted above. I haven't tested how 
  - Copy new keyring to another USB drive for transferring to daily machine(s).
  - Configure gpg-agent.conf and gpg.conf on daily machine.

Resetting the applet if you messed up or want to start fresh:

https://developers.yubico.com/ykneo-openpgp/ResetApplet.html

https://www.yubico.com/support/knowledge-base/categories/art...

1 more reply

user59944618y ago

SecurID has been the gold standard for more than a decade.

Not to dismiss YubiKey but companies that can afford 2 factor and take security seriously already have SecurID for a long time.

pgeorgi8y ago

SecurID is just an expensive TOTP implementation (although a very established one, as you noted)

That "gold standard" required reissuing 40 millions of devices in 2011 due to a single server breach. Lockheed-Martin was apparently really, really happy about it, too.

If that's your desired level of security, just use any TOTP authenticator app on your smartphone.

user59944618y ago

SecurID also does private key, certificate authentication and much more. The TOTP is just one of many options.

A lot of mails going to the post office. That's one of the good thing about this hardware tokens, you can decommission and replace them easily.

What's expensive it to redo all your applications and systems to have 2 factor authentication.

zurn8y ago

Smartphones are insecure unless you can control all your users have new Apple phones.

The problem with many affordable TOTP tokens is clock drift. Are RSA's tokens better with that?

1 more reply

j / k navigate · click thread line to collapse

86 comments

j_s8y ago

This came up last week on the OpenPGP discussion; here's a re-post -- no one else has mentioned the sc4-hsm yet. https://news.ycombinator.com/item?id=14495213

Open source (-ish?) Yubikey alternatives

https://sc4.us/hsm/ $75 | https://news.ycombinator.com/item?id=12053181

https://trezor.io/ $99 | https://news.ycombinator.com/item?id=10795087 (not much on HN)

https://www.floss-shop.de/en/security-privacy/smartcards/13/... €16.40 (OpenPGP Smart Card v2.1; 4096-bit keys)

https://www.fidesmo.com/fidesmo/about/privacy-card/ €15 (NFC only; recommended by the terminated SIGILANCE OpenPGP Smart Card project; 2048-bit keys)

noja8y ago

Fixed link: https://www.floss-shop.de/en/security-privacy/smartcards/13/...

MichaelGG8y ago

It's a bit offputting that the SC4 calls itself a "hardware-secure module" which seems to be a unique term (vs hardware security module).

tptacek8y ago

It's worth considering: almost nobody who uses Yubikeys loves them, but they are by a wide margin the tokens experts recommend most.

dkhenry8y ago

rst8y ago

Have you got a writeup of the ssh setup methodology you used?

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2319

1 more reply

tptacek8y ago

The U2F bit is a dream, yes. The rest of it not so much.

1 more reply

atmosx8y ago

Is there any sort of backup in case it gets destroyed or lost? Can you clone it?

2 more replies

api8y ago

tptacek8y ago

It is extraordinarily annoying to set up a Y4 for SSH. We use gpg-agent in ssh-agent compat mode.

1 more reply

drdaeman8y ago

tptacek8y ago

I've read "I don't endorse this" from open source advocates, but none from crypto engineers.

cafogleman8y ago

I recommend the OnlyKey: https://www.amazon.com/OnlyKey-Color-Password-Manager-Obsole...

ams61108y ago

Given Amazon's problems with counterfeit items, I'm not sure I'd buy something like that from them.

funkaster8y ago

Thanks! I didn't know about the OnlyKey, being a Teensy fan and looking for a yubikey alternative, this looks really good. I already ordered one :)

prohor8y ago

I love the feature they keep passwords in fact on the device itself, not as a key to enable password manager. I was looking for something like that. If only they offered strong encryption for Europe!

voidz8y ago

Does not ship to the Netherlands... Meh!

cafogleman8y ago

More info at their site: https://crp.to/

2 more replies

j_s8y ago

You can buy the international edition with PayPal and re-flash it.

https://crp.to/p/

I am interested to find out more info on the tamper-resistance of the hardware.

wslh8y ago

Trezor? https://blog.trezor.io/secure-two-factor-authentication-with...

It is also hackable: https://doc.satoshilabs.com/trezor-tech/resources.html

anonova8y ago

Another hardware wallet that supports FIDO/U2F is the Ledger Nano S: https://www.ledgerwallet.com/products/ledger-nano-s

The downside of this and the Trezor is that you need a cable to connect it to a device.

captainmuon8y ago

While we're at it, is there one that:

- Lets me store certificates and PGP keys

- Has two factor authentication (U2F)

- Has open hard and software (source-available)

epistasis8y ago

At least that was my experience. If somedbody can correct me, I'd be incredibly grateful.

roman_zeyde8y ago

I can suggest using TREZOR and Ledger Nano S hardware devices for common GnuPG operations, e.g. signatures and decryption.

Please take a look at https://github.com/romanz/trezor-agent/blob/master/README-GP... for more details.

Disclosure: I am the main developer of this project.

captainmuon8y ago

Nexxxeh8y ago

Boot time and physical size might prove to make it unwieldy, but could you use a Pi Zero in a gadget mode with OTG?

You can have it emulate USB HID, so presumably U2F would be workable, and it'll do USB Mass Storage too.

Open hardware and software.

drdaeman8y ago

Unless you install some TPM module, RPi itself has no tamper-resistant storage and has DFU (so, basically plug it into a wrong device and it'll be able to run arbitrary code, pulling all secrets).

An FST-01 is a somewhat better choice, but Gnuk doesn't implement U2F. If someone has enough time and knowledge I don't see why it won't be possible to add it, though.

1 more reply

dsl8y ago

NitroKey (https://www.nitrokey.com/) is the non-crappy version of YubiKey.

dchest8y ago

I have two of their U2F and if the OP's problem is sales and support, I'm not really sure Nitrokey are without issues as well:

1) Ordered 2, received 1. Thankfully, support quickly sent the second one once I wrote to them.

2) Now they only work when I plug something else to another port to my Mac (no such problem with Yubikey). No reply since April 29: https://support.nitrokey.com/t/nitrokey-u2f-issues-in-macos-...

Edit: I now noticed they have a different U2F version — the previous one was a card that you fold to make it into a USB dongle.

jans238y ago

Feedback from Nitrokey (I'm working with them):

1) We are changing our warehouse process, adding a technical QA step, so that such mistakes won't happen anymore. Sorry for the trouble.

2) As you noticed, the former U2F is going to be replaced by a new FIDO U2F device which contains a full USB plug for better reliability, is more durable and has a touch button.

1 more reply

tmikaeld8y ago

+ It is (fully) open source

- Doesn't support U2F (yet)

- Supports only one password manager [1]

- Recommends using their own password manager (That has a limit of 16 passwords)

[1] https://www.nitrokey.com/documentation/applications#a:passwo...

travisby8y ago

Note the NitroKey start is a gnuk implementation and is fully open source. The tamper-resistant models are using the BasicCard with Zeitcontrol software.

kps8y ago

According to that page, the only variant that does U2F does nothing but U2F.

noja8y ago

yeah what is with that? I want all the boxes ticked!

tokenizerrr8y ago

What is non-crappy about it compared to the YubiKey?

graystevens8y ago

Here are a list that someone has collated - http://www.dongleauth.info/dongles/

The alternative to Yubikey that I am aware of is NitroKey, but can't say I am aware of how they match up, feature for feature

lisper8y ago

https://sc4.us/hsm

It's fully open-source, but the only standard application currently supported is U2F.

Disclosure: this is my product.

chaz68y ago

FYI your website is blocked by my work proxy:-

Access Denied (content_filter_denied)

Your request was denied because of its content categorization: "Placeholders"

lisper8y ago

Very sorry about that, but I have no idea what I can do about it. The page is not a placeholder. It's a very generic Bootstrap page with real content.

debatem18y ago

I've given up on yubikey at this point. I love the form factor, but it was easier in the end to build a different second factor infrastructure than it was to deal with the company.

I've been toying with the idea of building an open source replacement and fabbing it with a shuttle service but ultimately the cost is really too high to justify.

2bluesc8y ago

What was you issue with support?

I've had 2 Yubikeys replaced at their cost after published security exploits highlighted shortcomings. Also haven't had one fail on me yet. Would be curious to learn what your experience was.

eekthecatOP8y ago

They are unresponsive for really simple questions (email/Twitter). Their local reseller is not interested in non-business sales.

thehigherlife8y ago

What are you hoping to do with yubikey / what was your question?

rbjorklin8y ago

The DIY open source alternative: https://u2fzero.com/

AdmiralAsshat8y ago

Is...that...safe?

Give me an enclosure like Samsung's metal flash drives[0], and then I'd be sold.

[0]https://www.amazon.com/Samsung-METAL-Flash-MUF-32BA-AM/dp/B0...

rbjorklin8y ago

[0] https://github.com/conorpp/u2f-zero/

1 more reply

cmurf8y ago

Those Samsung flash drives are nice, I have several. ~22MB/s write, and ~130MB/s read.

chipz8y ago

Slightly out of topic, is it possible to create one with similar function to yubikey with USB flash drive?

chx8y ago

The problem currently is a) most sites want passwords b) I do not want to mess with cables c) NFC is not ubiquitous.

erik9988y ago

Not exactly Yubikey but USB Armory has some close features:

https://www.crowdsupply.com/inverse-path/usb-armory

The following example security application ideas illustrate the flexibility of the USB Armory concept:

    mass storage device with advanced features such as automatic encryption, virus scanning, host authentication and data self-destruct
    OpenSSH client and agent for untrusted hosts (e.g Internet kiosks)
    router for end-to-end VPN tunnelling
    Tor bridge [see this, for example]
    password manager with integrated web server
    electronic wallet [the Electrum Bitcoin wallet works out of the box on the USB Armory. It has been tested with X11 forwarding from Linux as well as Windows hosts.]
    authentication token
    portable penetration testing platform
    low level USB security testing

lazylester8y ago

scott008y ago

The Feitian ePass: https://www.amazon.com/Feitian-ePass-NFC-FIDO-Security/dp/B0...

Can't vouch for it (either product or support), but it exists.

sirsuki8y ago

http://www.sqrl.pl/ https://www.grc.com/sqrl/sqrl.htm

weinzierl8y ago

Nitrokey (formerly CryptoStick)

https://www.nitrokey.com

AFAIK they are used at Mozilla. The Firmware is Open Source. Downside is that not all their dongles support U2F.

drdaeman8y ago

Actually, none does: https://www.nitrokey.com/#comparison

The only dongle to support U2F is currently only available for pre-order, with ETA in autumn 2017.

kdmoyers8y ago

markgamache18y ago

That said, I have looked for alternatives and found none.

I am most disappointed in the mediocre coverage of their RDP drivers. I need to use all the features over RDP. Some work and some don't.

bockafer8y ago

Perhaps?

* Do not allow smart card redirection Group Policy object

makmanalp8y ago

prohor8y ago

I just wonder - if the same key is used for enabling password manager and 2FA ... is it still 2FA? I mean, having the token you get both access to password and second factor to a service.

cmurf8y ago

I'm annoyed that Lastpass still doesn't support U2F, and I don't really understand the delay at this point.

eekthecatOP8y ago

Their official response is "because not all browsers support it".

It could be a valid business decision (I.e. uneven browser support will confuse our users and increase costs) but I think they are just using that as a delay tactic.

jvagner8y ago

Out of curiosity... is Google Authenticator dead? The iOS app hasn't been updated in quite a while (Feb 22, 2016).

Navarr8y ago

Does it need an update?

rthille8y ago

I'd love to be able to select the background color of entries and edit the text at the top of the entry, rather than just the bottom.

1 more reply

bockafer8y ago

The gotchas I've encountered while using them on OSX:

  - The pins for PIV and OpenPGP are separate as these are separate modules on the card.
  - You can't use the PIV or NEO GUI managers and gpg at the same time. You might have to unplug and plug the token
    back in when switching back and forth between GUI/cmdline Yubico tools and gpg.
  - Forgetting to change my environment to use gpg-agent instead of ssh-agent.
  - Typing in my local password instead of the PIV pin when logging into OSX while I have a token with PIV enabled
    plugged in.

I used bits and pieces from a few guides to get the setup I wanted as this was my first experience with smart cards and advanced use of pgp:

https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubike...

https://rnorth.org/gpg-and-ssh-with-yubikey-for-mac

http://suva.sh/posts/gpg-ssh-smartcard-yubikey-keybase/

https://www.jfry.me/articles/2015/gpg-smartcard/

https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-gui...

https://alexcabal.com/creating-the-perfect-gpg-keypair/

Overview of my process (on an air gapped machine):

  - Configure gpg.conf.
  - Generate master, subkey, and revocation material on an encrypted USB drive for offline backup of materia
    along with revocation certificates.
  - Backup original .gnupg directory to another folder on the encrypted USB drive. 
  - Copy .gnupg directory to second encrypted USB drive for offsite backup.
  - For each smart card I wanted the same material on:
  -- Change default user and admin pins.
  -- keytocard subkeys for (S)ign, (E)ncrypt, (A)uthenticate (without saving keyring).
  -- Require local touch for all material ( Yubico specific: https://developers.yubico.com/PGP/Card_edit.html ).
  -- move on to next card.
  -- save keyring after running keytocard on the last card so the subkey material no longer exists in the local keyring, only
     references to it (this might not be necessary, I need to test).
  - Generate a copy of the keyring without master key to use on daily machine(s). Might also only need to have the master 
    material minus the key in the keyring as noted above. I haven't tested how 
  - Copy new keyring to another USB drive for transferring to daily machine(s).
  - Configure gpg-agent.conf and gpg.conf on daily machine.

Resetting the applet if you messed up or want to start fresh:

https://developers.yubico.com/ykneo-openpgp/ResetApplet.html

https://www.yubico.com/support/knowledge-base/categories/art...

1 more reply

user59944618y ago

SecurID has been the gold standard for more than a decade.

Not to dismiss YubiKey but companies that can afford 2 factor and take security seriously already have SecurID for a long time.

pgeorgi8y ago

SecurID is just an expensive TOTP implementation (although a very established one, as you noted)

That "gold standard" required reissuing 40 millions of devices in 2011 due to a single server breach. Lockheed-Martin was apparently really, really happy about it, too.

If that's your desired level of security, just use any TOTP authenticator app on your smartphone.

user59944618y ago

SecurID also does private key, certificate authentication and much more. The TOTP is just one of many options.

A lot of mails going to the post office. That's one of the good thing about this hardware tokens, you can decommission and replace them easily.

What's expensive it to redo all your applications and systems to have 2 factor authentication.

zurn8y ago

Smartphones are insecure unless you can control all your users have new Apple phones.

The problem with many affordable TOTP tokens is clock drift. Are RSA's tokens better with that?

1 more reply

j / k navigate · click thread line to collapse