File: Screenshot From 2026-05-3(...).png (567 KB, 863x998)

567 KB PNG

>>108947904
YubiKeys have been proven to be backdoored.

>>108947904
love em
kind of a pain in the ass to understand how you set shit up with em tho

>>108947904
Cool tech, but how are they secure? They can just go into your house, turn on your PC and have everything decrypted. I think you should memorize your super secure keys.

>>108947904
They're shit. I just want to use a username and password, not be forced to buy some easily lost token that just makes life harder.

>>108948475
Not everyone has a threat model that includes their homes being raided.

>>108948475
It's for when you're in thailand balls deep in a 150cm tall teenage hooker and the other one that just rimmed you for 15 minutes steals your laptop.

>>108948683
Won't those boys know to also take the blue thingy off the keychain?

>>108948683
Just came to the thought of this. Don't make me hard anon.

File: Screenshot_20260531_155733.png (211 KB, 428x423)

211 KB PNG

>>108948475
the key itself is the 2FA and you tapping it is a physical confirmation so it can't be stolen or forced via the interwebs (in theory)

unlike TOTP where it's "lol just copy these generated numbers on your phone (probably infected and pozzed) to random web textboxes you have to verify by yourself are secure",
it's more of a controlled check with crypto going back and forth, you can't exfil credentials from them (IN THEORY).

they're hella convenient for corp environments (esp if you have picrel) but they're comically expensive otherwise.
I know one person who uses it for storing personal SSH keys, which is very practical (or so they claim).

>>108948703
>boys
We know you're a fag, you don't need to advertise that fact.
>>108948705
Tug one out, anon. You deserve it.

>>108948475
also you can set a PIN/password for some stuff on the key I think

but honestly if you get your laptop or phone stolen its GG no matter the security model lol

>>108947904

Do they "just werk" or do you need to run some application in the background 24/7 ?

>>108949099
I can confirm them "just working" on Linux in a browser and on iOS. No mystery meat background services or sign ups.

The sysadmin at work got mad at me for leaving it plugged in after going home for the night so I 3d printed a little container that attaches to the back of my keyboard to store it at the end of the day where he can't see it. Take that Vlad, you Lithuanian butt pirate!

>>108947917
"Oh no, now the government can log into my GMail"

said no one who owns a YubiKey ever.

>>108949099
>>108949176
Chrome supports them natively so it just works with almost everything. There is a manager application, but you run it from the command line and nobody ever uses it, it actually is more about locking down certain kinds of authentication to have a minimum level of security, but even the default minimums are very high. The only real issue is that if you use them you need to buy at least 2, or 3 if you have a gf and you share a backup.

>>108951021
>>108951051
Final thing i'll say about them is that they basically come down to 3 kinds:

The ones with NFC, or the other big ones without NFC but you manually plug it in every time because you're too poor for NFC: These ones you are supposed to keep on your PERSON like as a dogtag or on your keyring. These ones can be used with phones, particularly the NFC/USB-C ones.

The mini ones: these just plug into your PC and stay there and so are better for PCs that are physically safe to begin with, i.e. Desktops, around the back of a desktop monitor, into a keyboard USB port, etc. If you plug it into a laptop you WILL leave it there and it WILL be stolen with the laptop. Because of this it's security now relies on thief not being able to log in to your OS account, because you'd be made to use these for login (as it's always with the computer, so you need a second form of auth). I wouldn't use the NFC ones for login either, but at least if it's on your person it's a little better than a nano thats always with the device. But very convenient if you can secure the room the device is in or how you touch the key (hidden somehow).

The BIO keys: These are actually some of the best keys for being paired with a device instead of a mini/nano, because if the device gets stolen they also need your fingerprint. For this reason they can also be used for login because you need some kind of authentication not just being physically present like they other keys. But they don't do FIDO2 which is needed for a very small number of applications, most big services offer FIDO and FIDO2 and there's really no security difference between them. People sleep on these but they're the best one for most civilian use cases.

>>108951281
the nub variant is just yubico coming to terms on how people use them. the key will most likely be stolen alongside because people are retarded (108949211), so the protection they provide is actually the secure enclave you have to physically activate. that means your mouth breathing colleague can open all the attachments and their credentials ought to be somewhat protected from being used off site. now, you're not retarded and might pocket the dongle and have some form of extra security.

>>108947904
Top tier

>>108947917
That's why we use nitrokeys.

>>108947904
I don't think about them because they defeat my entire opsec, same reason I don't use fingerprints and similar anti-security "features"

>>108951770
>An additional factor would hurt my opsec
What?

>>108947904
I just use it for 2FA so I can log into my country's (Austria) government services because their app is a pile of shit that barely works

>>108951789
an additional factor that add absolutely nothing security-wise

>>108951806
Who's your threat actor?

>>108951830
jamal, wife.
a third-party device requires its own opsec, it's extra work for no gain in my case, I have no issue typing my passphrases when I unlock my computer AND my servers.
things would be different if I had ways to protect my hardware keys but I currently can't for logistical reasons.

>>108948587
Not being raided, but home robberies can and do happen. And your PC is one of the first things they will bag.

>>108948767
>if you get your laptop or phone stolen its GG no matter the security model lol
Why do you say that?

>>108948761
>they're comically expensive otherwise
How much do they cost for us common folk?

>>108951876
>jamal
Doesn't understand it
>wife
Doesn't understand it either if she's not savvy.
Both of these are stumped by you carrying it on you instead of leaving it right besides your devices.
>a third-party device requires its own opsec,
No, you won't need to implement new opsec procedures and if you let your workflow be the same except for adding the step 'Insert USB key and press on it' you'll have improved your opsec without any risk since it's an additional factor.
>it's extra work for no gain in my case,
Wrong, see above
>I have no issue typing my passphrases when I unlock my computer AND my servers.
Jamal doesn't care about your servers
>things would be different if I had ways to protect my hardware keys but I currently can't for logistical reasons.
Just put it on your key chain.

>>108947904
too expensive for how little security they add over literally free TOTP.

>>108949099
they use an open auth standard - no additional software / drivers needed. they mess with my software KVM though, and after I use them I sometimes need to reboot my Ubuntu machine.

>>108947904
Unless i'm being paid to use one i'm not using one. TOTP and MFA auth apps are easy and plenty as is and have way better ways to back your seeds up. Yubikey forces you to multiple keys just so you can pray you don't get locked out if you lose one. Not to mention some of their keys have limited uses which is the dumbest shit ever. So yeah unless it's something i'm being paid to use for work i'm not touching it.

if you lose it and someone who knows your email address gets it there's nothing standing between him and all of your data.

passkeys seem to be the better alternative since they're protected behind a pin code on your phone so if you lose it there's another layer of security.

>>108948761
>the key itself is the 2FA and you tapping it is a physical confirmation
depends on how the service implements it. if the service assumes your key does the 2FA and if the key doesn't have any kind of additional authentication, you're in the shit if you ever lose it.

>>108952273
It is TWO FACTOR AUTHENTICATION. You need to first acquire their password. Also, the standard procedure is the moment you notice it missing (which should be soon if its tied to important things, youll need to use it and notice its missing), you deregister it from all your accounts and its now useless to whomever acquired it. I dont even bother removing it from my Keychain when I give it to a mechanic for this reason.

>>108947904
I have 3.
>primary, on my keychain
>backup, stays in my office
>emergency, in my fireproof safe
If an account is registered for 2fa with my keys, they are all registered so I can use any one of them. It is pretty good peace of mind considering all it takes to copy someone's Google authenticator is like 5 seconds to scan a QR code. Yubikeys are non-duplicable. I bought it the moment I registered for an AWS account and now just use it for everything. They cost $55 each so kind of expensive but good peace of mind.

>>108952335
>You need to first acquire their password.
The whole point of these things is that passwords are inherently insecure, so you start with the assumption someone knows your password. Also, a surprising number of services have """2FA""" that allows you to bypass passkeys and there's no way to change that.

>>108952376
Yes, if someone targets you, knows your password to a service, and manages to steal your yubikey then you are compromised. But to a random attempt to compromise your account it is unbeatable. point being if you find a yubikey on the ground, there is no way to associate it to anyone's accounts. You cant plug it in and get a listing of accounts it is tied to.

>>108952440
Pretty sure Discord allows you to login with nothing but a passkey.

>>108952456
dont you need to put a username in first?

>>108952468
p sure you don't. you just open discord.com, tap the key and it lets you in.

>>108952468
username/email is a shit secret anyway. if someone is able to grab your physical key, then chances are they know who you are and thus your email and/or username.

>>108949099
sometimes its not compatible with the browser im using and i gotta switch

>>108947917
The Infineon exploit wasn’t state sponsored, it was retard enabled

>>108947904
The yubikey specifically is pretty bloated, too many features and lacks focus. The company itself also long since lost its way with their move away from the hacking community to chase cali tech dollars.
The Chinese keys (feitian) are backdoored ofc.

>>108951990
Sir are you retarded?
If someone breaks into your home and demands your key at gunpoint, that's a raid. If someone robs your house you're not present and so is the key, because it's with you.

>>108954240
irrelevant. what matters is that whoever happens to "find" your key shouldn't be instantly granted access to whatever the key unlocks.

>>108947904
I don't have to know all details about how it works, the fact that it is made by some American owned Swedish company means that it is insecure and backdoored.

>>108951021
Then why use it?

What the fuck is the usecase of this thing if are ok with being insecure in the first place?

>>108948587
But everybody who would use a passkey does.

You are a corpo cuck? A competition corpo could hire someone to steal your stuff or snitch it an an expo.
You are a zogbot (in which case you should point a gun at your head and pull the trigger)? A "hostile foreign actor" could steal your stuff.
You are a free man? Zogbots could raid you because you wrote the nigger word on twitter once.

>>108954569
why lock your doors and windows at all, when someone could just steal your key, break the lock, or kick them down?

>>108952475
That's completely retarded. That's not 2FA authentication at all. It's 1FA.

>>108952481
But not your password.

>>108954240
I was generalizing into robberies and just pointing out that it's also useful to include stolen desktop PCs in the threat model.

>>108954671
What argument are you trying to make?
That having a password remembered in your brain is the same thing as having your doors unlocked?
Doesn't make much sense.

>>108954673
The point of it is "Passwordless Login". That is how it is advertised. If you still use a password with it, you defeated that purpose.
If you simply want to map a key to a password, use a password manager. If you want 2FA, then a TOTP can do that.

If you use the Israel-adjacent hardware device to map a key to a password, you are less secure than with a random password manager, because you put another party in between, which you have to fully trust.
Do you trust the company producing YubiKeys? I do not.

>>108954673
>It's 1FA.
The 2nd F could be on the key itself. It's fine if the service lets you disable it for convenience (so you don't have to put secret into key -> use key -> put secret into service), but it shouldn't be the default assumption, because there's no way for the service to know what kind of authentication the key has, if any.
>But not your password.
Perhaps, but they can still be stolen, reused, phished, cracked, etc. The long term goal of passkeys is to phase out passwords altogether due to their inherent weaknesses.

>>108948761
Retard alert. TOTP can run offline on everything. Your stupid key is obviously backdoored before going on the market

>>108954710
Why use encryption at all, if for all you know it could be MITM'd, backdoored, or someone could just beat the shit out of you until you hand over all your secrets? This is basically your logic.
>Doesn't make much sense.
That's because you're either an autist who sees things in black or white / all or nothing terms, or you're arguing in bad faith.
>That having a password remembered in your brain is the same thing as having your doors unlocked?
>A is to B as C is to D
>b-b-but B is not D!
Yeah, fuck off, retard.

>>108947904
The main issue is that you (a private user) need to buy at least two, more likely three, like >>108952359 did. Because if the thing breaks, you may be fucked otherwise. My employer requires me to use one as follows: there is a certificate on it and to access it, I need to enter a PIN. After some failed attempts, the thing locks up. The cert is then used to auth into e.g. Windows. In this scenario, the Yubikey breaking is not a real problem: I'd show up to IT, prove my identity, sign a form, and get a new one.

I have heard the claim that it is possible to duplicate a Yubikey into a pristine one, giving the attacker more attempts to crack the PIN. However, we're probably talking state-level security service at that point and XKCD 538 applies.

>>108954752
A hardware device with a chip on it that stores all of your logins (whether or not i have to give that device a password, or in which form it returns the confirmation, is irrelevant) is insecure, unless you fully trust the producing company AND the government of the country it is located in.
>you aren't 100% secure and invulnerable to backfoors anyway, so why not take the jew cock up your ass even harder!
i dont get that argument

>>108954774
Your employer just wants to stop the adult-daycare visiting Stacy from being completely retarded and using "Password[number of month]" as password.

Corpo security standard is so low, that anything is an improvement.

Rather than
>what is secure?
the question is
>how can we stop Stacy from doing something stupid?

>>108947904
>Use it on my personal computer with usb-c, but also my optiplex at work.
Why don't they have a usb-a+c version, even my flashdrives all have those.

>>108954774
>I have heard the claim that it is possible to duplicate a Yubikey into a pristine one
The Google one (Titan) could be duplicated via Bluetooth! You could deploy a device and it would duplicate every key of anyone walking by.

>>108954790
>insecure, unless you fully trust [...] the government
Thanks for confirming your autistic "all or nothing" reasoning.

>you aren't 100% secure and invulnerable to backfoors anyway, so why not take the jew cock up your ass even harder!
>i dont get that argument
It's literally your own argument, faggot. You're the one claiming there's no utility in hardware passkeys if the government can gain access to your shit anyway.

>>108947904
anyone that trusts any security to a modern device is a retard

>>108954834
I do not trust the creator of Yubi keys.
Do an OpenSource version. Then i may consider it.
>all or nothing
thats not what i am arguing about, what i am saying is that you are LESS secure with a Yubi key than without, because you added ONE MORE entity that you have to completely fully trust, that you would not have otherwise.

>>108948761
yeah this

>>108954833
Not made by yubico
>>108954815
You can never stop Stacy being stupid, you need to design your security policies around retards to ensure they don’t possess enough access to be a threat
>>108954852
I used to trust them and now don’t

>>108954852
>I do not trust the creator of Yubi keys.
Do an OpenSource version. Then i may consider it.
There's plenty of different implementations, pick whatever you're most comfortable with. The Trezor crypto wallet can act as a FIDO2 authenticator, for example. Or if you simply don't trust hardware, use a software passkey manager.
>you added ONE MORE entity that you have to completely fully trust
You do not have to have ultimate trust in your key hardware maker so long as your key isn't the only thing required for someone to have complete access to your shit. "One more entity" in this case is a good thing, because then it serves as an additional layer that someone would have to compromise, rather than a side door that bypasses the main locks.

>>108954774
yeah I'm sticking with longer passwords thanks.

>>108954891
With a Yubikey, the corpo can just invalidate Stacys certs if she loses it and you know when she lost it, because she wont be able to login and do a PowerPoint presentation without.

It makes sense in a corpo environment where you trust the retarded women, who you hired, even less than you trust the company producing the keys.

But for you personally?
You arent a corpo handing out credentials to dumb roasties. You don't profit from moving trust to one MORE hardware manufacturer.

>>108954774
>In this scenario, the Yubikey breaking is not a real problem: I'd show up to IT, prove my identity, sign a form, and get a new one.
If we manage to get rid of passwords, account recovery is definitely gonna be the weak point. I can't fathom a world where a service would refuse to do account recovery (you lost *all* your keys? tough shit, everything is gone forever) or make it as thorough and secure a process as the equivalent of you physically walking into the office with your ID and getting a new key issued.

>>108954895
If the last entity in the chain is the YubiKey and don't have an AND after it, you have to fully trust that key.

Doesn't matter if you have to spin in a circle three times, touch your nose twice and enter a case sensitive 500 words essay to access the Yubikey, that one key is still the ultimate power that, when compromised, knows all your credentials and can access everything.

>but but you could do it different and not rely on a closed hardware device
Yes.

>>108954979
That's a reasonable concern. But it could also be that with the way age restrictions are currently being put in place, government ID may be required to do anything non-trivial on the web. At that point, one would do some sort of song-and-dance to verify said government ID and get the new passkey.

Also, they probably expect that the vast majority of users have at least two devices from the set of phone, tablet, Windows/Mac laptop etc. So if one breaks, you can replace it and use a secondary device to get passkeys on the replacement.

>>108955006
I don't know what else to even tell you, my guy. Having ultimate trust in any single third party, is retarded. Thinking you can ever fully trust the government, or that such trust is required to have any security, is doubly retarded.
>that one key is still the ultimate power that, when compromised, knows all your credentials and can access everything
I still think you don't fully understand how these things actually work. Regardless, there's no point in continuing to have this conversation with you, because it's very clear that to you the argument will always boil down to the fact "you can't ever fully trust any third party ever" and therefore "what's even the point in having security".

>>108955054
There are no passkeys in a world of the Digital Id.
You would login with the Digital Id in the first place, not use it to get a passkey.
If you lose your Digital Id, you go to a government office.

And 2FA isn't a thing anymore. They don't expect you to own multiple devices. They only expect you to own a phone.
You can NOT do banking from a PC without verifying with your phone, but you CAN do banking from your phone without verifying with a PC.
Passkeys aren't 2FA, they are a passwordless login method. Whether or not you have 2FA ADDITIONAL to the passkey, is up to the service... but almost none of them do, because nobody would use a Yubikey if he additionally has to enter a code from his phone as well, lol.
The adoption would be atrocious if they would do that.

>>108955083
>I still think you don't fully understand how these things actually work
Sure, let me explain:
>service knows a public key of your yubikey
>it requests a proof that you own said key
>you enter pin/password of that key (optional, if it has it)
>that password goes into the yubikey, which unlocks its private key with it (optional)
>the yubikey signs something with that private key (that never leaves the yubikey) and returns that cert
>sent that to the service
>service verifies it against the public key
Note: The password doesn't stop the firmware of the Yubikey itself from raping you. The Yubikey, and the company creating it, has your ultimate trust.

>BUT BUT WHAT IF I ADD SOMETHING ELSE THAT ISN'T AS RETARDED AS A YUBIKEY
Then you do something that 99.999% of Yubikey owners do not do, and you might consider not to use a Yubikey in the first place. The Yubikey is also not supposed to be used that way, it is PASSWORDLESS LOGIN. That is how it is advertised. That is what it is made for.
>trusting a single party is retarded
Yes.
And trusting multiple parties is even more retarded.
You have to trust the PC, you are using the key on, anyway. If that one is compromised, the key doesn't protect you: "Oh nooo, i can't access the private key, that's on the Yubikey... welp... i guess i will just steal the resulting Auth Cookie or Login Token instead :D".
Add a Yubikey to the mix, now BOTH whoever compromised the PC AND whoever compromised the key, can steal shit.
I just need access to ONE of those TWO things to fuck you over.
Without it, i would need access to ONE of ONE thing.

>>108947917
>the FIPS version
kek
ishiggydiggy

>hardware key
Did I just time travel back to 2003?

>>108947904
>What do we think of them?
I think the opposite of the "general consensus" of /g/
Same with Tor and anything else security related.
If it is secure, glowies are here consensus cracking against it.
If it is not, they're here convincing everyone to use it.

>>108955205
>I just need access to ONE of those TWO things to fuck you over.
>Then you do something that 99.999% of Yubikey owners do not do
"Most people are retards" is no more an argument against the utility of (hardware) passkeys than "government can access it anyway" is. Some services are also retarded and will, for example, allow you to bypass the passkey with a password (making the passkey worse than pointless - another potential liablilty like you said). There's nothing you can do about it, other than not be a retard, be aware of the pitfalls and don't rely on retarded configurations or blind trust in opaque entities.

>>108947904
I like them.

>>108947917
>reduced the randomness
that's not "backdoored"

They don't have to be perfect to make it waaaaay harder on financially-oriented hackers.

When combined with a good password, obviously they help.

I could understand if you are a criminal of some kind, you would worry about that.

>>108954774
>buy at least two, more likely three
yep

>>108947904
Just use a strong password, captain cuck

>>108956747
>that's not "backdoored"
That's exactly how state actors backdoor cryptography. They introduce a weakness only they'd be aware of.

>>108951990
>your PC is one of the first things they will bag.
My E-ATX rig and hardmounted server rack says otherwise.
If a robber is going through so much effort to BnE your locked server rack and start yoinking individual drives then you are being specifically targeted and should have 24/7 security monitoring or not have the data in the first place.

>>108947904
i would get k e if they were like $20
then i could log into my work pc without touching my phone
i hate typnig on touchscreens

>>108957124
t. phonepostnig btw

>>108954710
>The point of it is "Passwordless Login".
I thought the point was 2FA.

>>108956102
>trust us, we only backdoored the FIPS version, we swear all the other versions are not backdoored!

>>108954722
see >>108957189
But I guess I was wrong, and the point is to have a single factor.

File: vr nono cut.gif (1.87 MB, 400x300)

1.87 MB GIF

>>108956879
>My E-ATX rig and hardmounted server rack
Yeah, you sure are the average computer user, anon.
I guess that's it! We just need to bolt and cement our computers to the ground! Why bother with encryption?

>>108957197
just use rp2040 or whatever if you really feel schizo
there are some open source projects on that
i think you're already beyond the point of 'it's so over' if you are worrying about if yubikey is glowing or not

>>108954521
You can set a PIN on it, so that would solve whole PC robbery. The arrangement in default WebAuthn makes it very inconvenient for the server side to authenticate you with the key alone. A username will be practically mandatory, that solves the authenticating to web services. Unless you're talking about being targeted, but then you need a bodyguard, not TPM in plastic.

>>108957930
desu this
most attack vector argument against hardware keys are nullified because at that point a shitty plastic molded pcb with a microcontroller on it is probably the least of your concern

File: 10-10-2017-kju-computer-1(...).jpg (410 KB, 2500x1667)

410 KB JPG

>>108947904
Stupid and pointless. Google Authenticator is good enough for anyone.

>had one at work
>got reassigned to a team that don't use them
>WFH and forgot to bring it back to the office and nobody has mentioned it for the past 2 years

Should I do something with it? It's just sitting in some drawer somewhere.

>>108958456
factory reset it?
nothing inherent to the credential is really tied to the key itself iirc

>>108952456
Passkeys are not the same as security keys.

>>108947904
>What do we think of them?
they're ok, it's kinda silly that i have my private one and one for work that i carry with me. The biggest problem at least in normie space is that not many services support them and even with passkeys your key can only hold a limited amount (25, 100 if you have the newer firmware) of them while for the actual fido2 stuff you have unlimited capacity. also for personal use they're way too expensive since you need 2 of them to start or you risk locking yourself out

>usb port broken on the device you want to use
>now you cant use it
on top of being easily lost or misplaced these have got to be the dumbest things ive ever seen