IIRC, the Yubi folks do recommend getting two, and using the second one as the backup authenticator in case the primary is lost/broken/etc. Put in a safe/safety deposit box for safe keeping.
On Tue, Aug 24, 2021 at 2:13 PM Paul Boniol <[email protected]> wrote: > I agree with Tilghman, but would add there are NFC versions of > Yubikey's (still without battery), and USB-C connector (which may or may > not attach to your phone). If supported, it could be added as a backup > authentication method, but I don't recommend using them as the primary > method. (Left it at home, fell out of your bag, got eaten by a toddler, you > never know.) > > Paul > > On Tue, Aug 24, 2021 at 12:48 PM Tilghman Lesher <[email protected]> > wrote: > >> There are multiple reasons why I'm not fond of hardware keys like that: >> >> The first I've already mentioned. If it's lost or misplaced, you've >> just lost your way of getting into the system. >> >> Second is the form factor. It's a USB A connector, which is fine when >> you're sitting at a desktop or a laptop that you own. What happens if >> you need to get into the machine, and the only thing you have is a >> cellphone or tablet, which likely doesn't have a USB A port? Do you >> keep a selection of dongles with you to make it fit? Or are you SOL? >> And if you're at a machine that you don't own, they may well either >> prevent you from accessing the USB port or have severe restrictions on >> what a USB device plugged in can be. For example, it might be limited >> to ONLY a mass storage device and not a USB keyboard. If that's the >> case, the Yubikey won't work. >> >> Third, while the Yubikey is powered off the device to which it's >> connected, and that's a nifty workaround to this problem, a lot of >> hardware keys have a sealed battery. That battery cannot be replaced, >> because the device will self-destruct (by design) if you try to open >> it up. So you're only good for as long as the battery life lasts. >> >> All that said, you also want to avoid using SMS as your second factor >> authentication, because the telecom network is not secure. If an >> attacker knows your phone number, they could attempt to steal your >> number and receive your SMS codes. While the telecoms have tried to >> close this security hole, in many cases, it's an insider attack, which >> can't be easily stopped without completely destroying number >> portability. >> >> On Tue, Aug 24, 2021 at 11:04 AM Michael L <[email protected]> >> wrote: >> > >> > That's another important reason why I'm asking: when my Pixel LCD >> became unusable, I couldn't login. >> > >> > Glad again I asked. >> > >> > On Tue, Aug 24, 2021, 10:08 Tilghman Lesher <[email protected]> >> wrote: >> >> >> >> I would suggest configuring PAM to use one of the myriad 2 factor >> >> authentication schemes, preferably one that isn't tied to a hardware >> >> key. For example, you can use a Google Authenticator scheme with an >> >> app like Authy, which will allow you to authenticate with multiple >> >> devices -- useful if you lose or temporarily misplace one of them. >> >> Authy will also work as a Chrome App -- just make sure that you only >> >> put it on devices that you can keep secure. >> >> >> >> https://hackertarget.com/ssh-two-factor-google-authenticator/ >> >> >> >> On Tue, Aug 24, 2021 at 6:09 AM Michael L <[email protected]> >> wrote: >> >> > >> >> > I have a couple of sensitive logins which I need to keep secure >> online and offline. I see multiple USB devices from about $10 and up. I >> also see Google OpenSK and Predator DIY results. >> >> > >> >> > Does anyone have a recommendation? >> >> > Thanks everyone >> >> > >> >> > -- >> >> > -- >> >> > You received this message because you are subscribed to the Google >> Groups "NLUG" group. >> >> > To post to this group, send email to [email protected] >> >> > To unsubscribe from this group, send email to >> [email protected] >> >> > For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> Groups "NLUG" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/nlug-talk/CALdmzXZM9KizB9jj6mgORek5W6NAQ%2BF3-fJ%3Dc04ov%3DNJAiD0wg%40mail.gmail.com >> . >> >> >> >> >> >> >> >> -- >> >> Tilghman >> >> >> >> -- >> >> -- >> >> You received this message because you are subscribed to the Google >> Groups "NLUG" group. >> >> To post to this group, send email to [email protected] >> >> To unsubscribe from this group, send email to >> [email protected] >> >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> Groups "NLUG" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/nlug-talk/CAHPkZcUKJeOsCzFRP1sVJ5kcVoSxech68NJmpvvb_hS_EsXnsw%40mail.gmail.com >> . >> > >> > -- >> > -- >> > You received this message because you are subscribed to the Google >> Groups "NLUG" group. >> > To post to this group, send email to [email protected] >> > To unsubscribe from this group, send email to >> [email protected] >> > For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "NLUG" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/nlug-talk/CALdmzXY3mqhw4W8CO%3D9c5vjEumuoYxvE6A4L3tiQ4704o1h5pQ%40mail.gmail.com >> . >> >> >> >> -- >> Tilghman >> >> -- >> -- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/nlug-talk/CAHPkZcUgcpuReTjv9rg%2B5EMPcT3wNyodWQo5paxqo47fQ5xgcQ%40mail.gmail.com >> . >> > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/CAL9PgS1FESoMxXfb-e8Jdg8RqzG9yHyh%2BOwrSWr4WyKk_w8w_Q%40mail.gmail.com > <https://groups.google.com/d/msgid/nlug-talk/CAL9PgS1FESoMxXfb-e8Jdg8RqzG9yHyh%2BOwrSWr4WyKk_w8w_Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CA%2B6_KC8etEXfbhAPxKR89zDd1k7GdMgVp0_Xn8Do81Fgc%3Dj%3DUg%40mail.gmail.com.
