Hardware Security Keys. Scam or useful technology?
>>108111098>bro trust us the firmware is secure>bro trust us the hardware is secure>bro trust us there totally is no way to extract root keys despite the fact that it has known exploitable flaws>no we won't patch them>no we can't patch them>no we don't consider this a flaw>refunds? rebates? get fucked and buy our new version lolGuys is this tech a scam?
>>108111137what's the alternative?
Yubicos being so famously unreliable that they even suggest you buy multiple and use them as backups will never not be funny to me.
>>108111156Not being fucking retarded.Security keys are a shitty meme entirely irrelevant outside of security theatre checklists made by HR tier retards and a HSM only has any (convenience) value if you're a company with dozens of cert signing requests per second.If you really want tamper resistance buy an off the shelf PC literally anything with an x86 core and cast it into non conductive epoxy. That offers more actual tamper resistance than $100k+ HSMs.
>>108111186>inb4 but muh M out of N schemeIt's so sad it's impossible to replicate this without spending seven figures on HSMs, cold backups, airgapped nodes and spares.
>>108111156passphase protected ssh/gpg keys on a flash drivei literally do this and don't need to do anything elseif you want convenience you could also use the secure element on your phone to unlock your gpg agent on your computer via fingerprint or whatever
>>108111098they and their big brother smart cards have their uses but if you're not a big organization you have no business doing more than playing with them>>108111183if you're a big organization you'll have some out of band mechanism to deal with lost/stolen/damaged cards, but if you're an individual who stupidly put the only copy of your disk encryption key on there you are fucked
>>108111098Nowadays, any smartphone can do the same thing and they're more convenient to use and harder to forget.These things are most expensive few kilobytes of storage since Memory Cards.
>>108111183When I used to work at a Google DC IDK how many people had dead keys.It was worse for contractors because we where only allowed one enrolled key and had to present to some Indian on Meet to set up our accounts again if it died.I still have like 3 of them but kinda afraid to use them as they aren't reliable clearly.
>>108111098I have to use one to log in to government services. Their app is fucking garbage and the only other way is a FIDO2 key
>>108111098Yubikeys are useful as a 2FA device if you're somewhere that a SMS/Email/Etc 2FA code won't work.
>>108111156TOTP. It's good enough.
>>108111098Good for my digital id.
