Like Tree4Likes
  • 2 Post By jgl
  • 2 Post By jgl

Yubikey offer

Closed Thread
  1. #1

    Join Date
    Aug 2006
    Posts
    11,884

    Yubikey offer

    On the off chance than anyone wants hardware 2FA keys, but is balking at the $50 price for one (and really, you should have at least 3 of these if you're bothering at all)

    https://slickdeals.net/f/16070614-cl...-free-shipping

    You need to sign up to a Cloudflare Zero Trust account and link it to your domain. e.g. you have to be a geek.

    cwd and pin like this.

  2. #2

    Join Date
    Dec 2002
    Location
    薄扶林
    Posts
    47,971

    If only they could be used in common applications which need OTPs ... credit card transactions, bank logins etc.

    I'm not super security paranoid.. so not sure what value these keys would have over say Google Authenticator type services. Any real world scenarios?


  3. #3

    Join Date
    Aug 2006
    Posts
    11,884

    I do not think that these are really intended to replace OTPs. Banks insist on using SMS, so can't see them taking hardware keys terribly seriously.

    I simply use them as hardware keys for password managers. I guess you could use something like Google Authenticator for that as well, but people are likely to have both Google Authenticator and a password manager on their phone at the same time, which imo kind of defeats the point (yes, I know, fingerprints and all that).

    The places where I use a password manager are pretty locked down, so it's convenient to have a hardware key permanently stored at those locations. If I did use a password manager on a phone, the keys work with NFC or USB-C as as well.

    shri and pin like this.

  4. #4

    Join Date
    Dec 2002
    Location
    薄扶林
    Posts
    47,971

    Never mind I thought these were like USB / NFC type keys which replaced OTP devices like the HSBC key and the Google authenticator app.


  5. #5

    Join Date
    Aug 2006
    Posts
    11,884

    Ah... yeah, a bit different. Though TBH I am not sure what these are:
    USB / NFC type keys which replaced OTP

    Far as I can tell, very few people use Yubikey or Google Titan, but imo if you're going to put all your eggs in one basket with a password manager (which people should!), you should then use 2FA on top of this (could well be Google Authenticator).


    Edit: Crikey, if you're not already familiar with these, then they are even more obscure than I thought. This thread is probably of zero interest to anyone.


  6. #6

    Join Date
    Apr 2019
    Location
    island east
    Posts
    455
    Quote Originally Posted by shri:
    If only they could be used in common applications which need OTPs ... credit card transactions, bank logins etc.

    I'm not super security paranoid.. so not sure what value these keys would have over say Google Authenticator type services. Any real world scenarios?
    if you are the target of nation states, or bad actors that can spend usd$500k to send israeli commercial or nation-state malware to your phone and compromise it (like Bezos, etc) then maybe you need these. $500k-$600k is like a 5 for one deal, they can target four of your friends, etc. Nation states, up to the glorious leadership what they do to you.

    Dudes with millions of crypto in their phone wallets, etc.

    Turn on apple lock down mode.

    https://www.theguardian.com/technolo...us-style-hacks
    Last edited by jimbo_jones; 14-10-2022 at 03:48 PM.

  7. #7

    Join Date
    Aug 2006
    Posts
    11,884
    Quote Originally Posted by jimbo_jones:
    if you are the target of nation states, or bad actors that can spend usd$500k to send israeli commercial or nation-state malware to your phone and compromise it (like Bezos, etc) then maybe you need these. $500k-$600k is like a 5 for one deal, they can target four of your friends, etc. Nation states, up to the glorious leadership what they do to you.

    Dudes with millions of crypto in their phone wallets, etc.

    Turn on apple lock down mode.

    https://www.theguardian.com/technolo...us-style-hacks
    Uh... if you're that high profile a target, an itty bitty 2FA hardware key like this is probably not going to help all that much. This stuff is for plebs who use personal password managers.

    Though it's worth mentioning that this is how Cloudflare avoided a massive hack last month that other companies fell to. They issue hardware keys to their employees, so the spearphishing + MTM attack failed with Cloudflare systems.

    https://techcrunch.com/2022/08/25/tw...kers-group-ib/