I agree with Tilghman, but would add there are NFC versions of Yubikey's (still without battery), and USB-C connector (which may or may not attach to your phone). If supported, it could be added as a backup authentication method, but I don't recommend using them as the primary method. (Left it at home, fell out of your bag, got eaten by a toddler, you never know.)
Paul On Tue, Aug 24, 2021 at 12:48 PM Tilghman Lesher <[email protected]> wrote: > There are multiple reasons why I'm not fond of hardware keys like that: > > The first I've already mentioned. If it's lost or misplaced, you've > just lost your way of getting into the system. > > Second is the form factor. It's a USB A connector, which is fine when > you're sitting at a desktop or a laptop that you own. What happens if > you need to get into the machine, and the only thing you have is a > cellphone or tablet, which likely doesn't have a USB A port? Do you > keep a selection of dongles with you to make it fit? Or are you SOL? > And if you're at a machine that you don't own, they may well either > prevent you from accessing the USB port or have severe restrictions on > what a USB device plugged in can be. For example, it might be limited > to ONLY a mass storage device and not a USB keyboard. If that's the > case, the Yubikey won't work. > > Third, while the Yubikey is powered off the device to which it's > connected, and that's a nifty workaround to this problem, a lot of > hardware keys have a sealed battery. That battery cannot be replaced, > because the device will self-destruct (by design) if you try to open > it up. So you're only good for as long as the battery life lasts. > > All that said, you also want to avoid using SMS as your second factor > authentication, because the telecom network is not secure. If an > attacker knows your phone number, they could attempt to steal your > number and receive your SMS codes. While the telecoms have tried to > close this security hole, in many cases, it's an insider attack, which > can't be easily stopped without completely destroying number > portability. > > On Tue, Aug 24, 2021 at 11:04 AM Michael L <[email protected]> > wrote: > > > > That's another important reason why I'm asking: when my Pixel LCD > became unusable, I couldn't login. > > > > Glad again I asked. > > > > On Tue, Aug 24, 2021, 10:08 Tilghman Lesher <[email protected]> > wrote: > >> > >> I would suggest configuring PAM to use one of the myriad 2 factor > >> authentication schemes, preferably one that isn't tied to a hardware > >> key. For example, you can use a Google Authenticator scheme with an > >> app like Authy, which will allow you to authenticate with multiple > >> devices -- useful if you lose or temporarily misplace one of them. > >> Authy will also work as a Chrome App -- just make sure that you only > >> put it on devices that you can keep secure. > >> > >> https://hackertarget.com/ssh-two-factor-google-authenticator/ > >> > >> On Tue, Aug 24, 2021 at 6:09 AM Michael L <[email protected]> > wrote: > >> > > >> > I have a couple of sensitive logins which I need to keep secure > online and offline. I see multiple USB devices from about $10 and up. I > also see Google OpenSK and Predator DIY results. > >> > > >> > Does anyone have a recommendation? > >> > Thanks everyone > >> > > >> > -- > >> > -- > >> > You received this message because you are subscribed to the Google > Groups "NLUG" group. > >> > To post to this group, send email to [email protected] > >> > To unsubscribe from this group, send email to > [email protected] > >> > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "NLUG" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >> > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/CALdmzXZM9KizB9jj6mgORek5W6NAQ%2BF3-fJ%3Dc04ov%3DNJAiD0wg%40mail.gmail.com > . > >> > >> > >> > >> -- > >> Tilghman > >> > >> -- > >> -- > >> You received this message because you are subscribed to the Google > Groups "NLUG" group. > >> To post to this group, send email to [email protected] > >> To unsubscribe from this group, send email to > [email protected] > >> For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups "NLUG" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > >> To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/CAHPkZcUKJeOsCzFRP1sVJ5kcVoSxech68NJmpvvb_hS_EsXnsw%40mail.gmail.com > . > > > > -- > > -- > > You received this message because you are subscribed to the Google > Groups "NLUG" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > [email protected] > > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > > > --- > > You received this message because you are subscribed to the Google > Groups "NLUG" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/CALdmzXY3mqhw4W8CO%3D9c5vjEumuoYxvE6A4L3tiQ4704o1h5pQ%40mail.gmail.com > . > > > > -- > Tilghman > > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/CAHPkZcUgcpuReTjv9rg%2B5EMPcT3wNyodWQo5paxqo47fQ5xgcQ%40mail.gmail.com > . > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CAL9PgS1FESoMxXfb-e8Jdg8RqzG9yHyh%2BOwrSWr4WyKk_w8w_Q%40mail.gmail.com.
