this post was submitted on 03 Jan 2024
71 points (98.6% liked)

Linux

48159 readers
742 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Hardware security key options?

I've been thinking about getting a hardware security key and have heard of yubikey before; but I want to see what my options are and if they are worth it in your opinion.
My current setup is a local KeePassXC database (that I sync between my PC and phone and also acts as TOTP authenticator app), I know that KeePass supports hardware keys for unlocking the database.

I am personally still of the belief that passwords are the safest when done right; but 2FA/MFA can greatly increase security on top of that (again, if done right).
The key work work together with already existing passwords, not replace them.

As I use linux as my primary OS I do expect it to support it and anything that doesn't I will have to pass on.

PS: what are the things I need to know about these hardware keys that's not being talked about too much, I am very much delving into new territory and want to make sure I'm properly educated before I delve in.

@linux @[email protected] @[email protected] @privacy #2FA #MFA #yubikey #InfoSec #CyberSecurity

all 35 comments
sorted by: hot top controversial new old
[–] [email protected] 18 points 10 months ago (1 children)

There's a Swedish startup named Tilitis making open source, verifiably secure hardware keys, but they're not well supported at the moment.

https://tillitis.se/

Yubikey probably has the widest support for things like password managers and automatic sign in.

[–] youngGoku 1 points 10 months ago

I use yubikey, hard to find sites that fully support yubikey services (the one touch feature)

[–] thisisawayoflife 8 points 10 months ago (2 children)

Look into SoloKeys and NitroKeys and see if there's products from those vendors that fit your needs.

[–] [email protected] 11 points 10 months ago (2 children)

As to why thisisawayoflife recommends these products (over OP's consideration of Yubico), probably because Solo and Nitro keys are open source hardware and firmware.

Nitro is a German company. Yubico is a Swedish company. I can't find where SoloKeys is located. However, the OS nature of Solo and Nitro should make that a little less important.

[–] [email protected] 2 points 10 months ago* (last edited 10 months ago)

In my research, I've found SoloKeys may be a US company. They are headquartered in New Jersey and one Co-founder is in New York City. However, according to their WhoIs data, the domain was registered in Iceland.

From SoloKey's Solo 2A+ NFC Security Key product page "Made and programmed in Europe." https://solokeys.com/products/solo-2a-nfc-security-key?variant=40297992093889

[–] [email protected] 2 points 10 months ago (2 children)

I also recommend Nitrokey. I have a Nitrokey Pro 2 and a Nitrokey 3 NFC and they both work well. Linux support is very good, and they also have good documentation on how to do most stuff you might want to do. +1 for being open-source as well.

[–] [email protected] 1 points 10 months ago

Well I might be ignorant of first principles, but I couldn't get a nitrokey I got for testing to work with anything.

Not that yubikey is easy.

[–] [email protected] 1 points 10 months ago

Nitrokey isn't fully open source though. The secure element is proprietary. But that's not their fault, OSS secure elements aren't a thing yet unfortunately, but some companies wanna bring a change in that

[–] WorstCase 6 points 10 months ago* (last edited 10 months ago) (3 children)

While Keepass has the ability to use a Yubikey (or similar) as 2FA (masterpassword is still required), this does not work on the mobile (Android) apps I tried. If you can make it work, please let me know!

Other than that: I got my Yubikey working ok on Linux Mint. But somehow the first login often does not work as expected (you have to touch the key). That is why I don't use it anymore as 2FA for computer login.

[–] [email protected] 6 points 10 months ago* (last edited 10 months ago)

Yubikeys can work with KeePassDX you just need to install the key driver and have NFC enabled

Also I'm pretty sure you are always supposed to touch the key initially when you use it for things like unlocking your KeePass database and what not

[–] [email protected] 2 points 10 months ago (1 children)

I don't have a key yet (which is why I'm asking) and I definitely want it in combination with passwords (they can take the key using force; but they can't take thoughts out of my head just yet).

As for android apps not working with the yubikey: try giving KeePassDX a shot; I got it from F-Droid and it does give me a hardware key field with the option to autofill with "Yubikey challenge-response".

[–] WorstCase 1 points 10 months ago

Thanks, I will try again!

[–] superbirra 2 points 10 months ago

keepass2android also work

[–] [email protected] 5 points 10 months ago

I'm using yubikeys. Works fine on Linux and Android.

[–] Freddyyeddy 4 points 10 months ago

Onlykey. It's u2f. And has up to 12 or 24 depending on how you setup username password combinations. It's got a physical pin required and you can set what happens on 6 failed attempts. Like nuke it's own firmware and (quantum proof encrypted alg) password and keystore. It requires no software on machine (after setup) so you can use it on machines you don't own and don't need to install middleware (I'm looking at you nitrokey) If you use Linux you can use it as a ssh private key and login method requiring challenge response (via its pin pad) (windows support for it is middleware to do this is ...not easy). It's a true one way write.. you add a password in all you can do is overwrite never read from it. https://onlykey.io/. Ive been using it my corporate IT day to day for 3 years.

[–] [email protected] 4 points 10 months ago (1 children)

Nitrokey would probably be my choice as both the hardware and software are open source( in fact you could probably build your own if you wanted to). I don't trust yubikey as the firmware that runs on them is closed source so you just don't know of it's actually secure.

[–] [email protected] 2 points 10 months ago

This. Yubikey is not libre hardware, not sure why they're so popular. I'd avoid any closed-source hardware for security devices. Its a bad idea.

[–] 413j0 3 points 10 months ago* (last edited 10 months ago)

I personally just have 3 u2f keys from different brands, one of them is a yubikey, but I only use the u2f functionality. I have read enough about the u2f standard to trust it, but the other fluff on some keys I don't trust enoug in to use on my accounts, and the basic u2f functionality works perfectly on Linux (I even use it for my Linux login) and basically everywhere

I keep one on my keychain(it has an USBA port, but I keep a female a to male c converter on it as cap so I can use it on my phone), another that has password protection instead of a single button lives on a port on my desktop and the third I keep stored, it is more annoying to set up all of them on a new account, but I know I won't loose access or have to recover my accounts if I loose my keychain.

And for sites that don't support u2f I use Aegis for TOTP which would also be my recommendation, that way if your KeePassXC database is compromised your second factor is safe, and you can also have automatic encrypted backups of your Aegis dB synchronised across devices so you don't loose them

And if you are going to be setting up keys on multiple sites don't forget to update or generate your single use recovery codes and store the safely, preferably on paper not digitally.

I personally print mine on regular printer paper on sections about the size of a library card and then I spread some UV curing resin until it soaks through, then I clean the excess and leave them on the sun for about 2 hours (most printer paper has optical brightener that makes the resin much slower to cure). I then cut the individual segments and store them on my safe

It may be paranoid, but it's extra work just when creating an account, and I started doing it after I permanently lost access to a trading account because of a lost key and a faded recovery code, thankfully it had no balance stored there at the time

[–] [email protected] 2 points 6 months ago

I use Yubikey 5 NFC and Canokey Pigeon, both works out of box on Linux.

[–] [email protected] 2 points 10 months ago (1 children)

Hi there! Your text contains links to other Lemmy communities, here are correct links for Lemmy users: [email protected], [email protected], [email protected]

[–] thisisawayoflife 4 points 10 months ago
[–] [email protected] 2 points 10 months ago (1 children)

Crazy coincidence that I was just researching hardware keys today. Why go with a hardware key over a free, open source TOTP generator like Aegis?

[–] [email protected] 1 points 10 months ago

For many TOTP may be a good option; but my experience with TOTP has been less than subpar.

Initially I did use TOTP like you're supposed to; but after my last phone died I had to set up TOTP on the accounts that used it *after* getting into them without it using backup codes.
This lead me to put the TOTP stuff inside my KeePass vault (as KeePassXC supports TOTP) which is backed up (unlike most TOTP solutions I've used).
The problem now is that my 2FA keys are stored in the same location as my passwords... (not that I'm worried about someone breaking the vault; but this is *not* how 2FA is supposed to work).

Additionally I have some other issues with TOTP that make it far from ideal for me and hardware keys seem to be a good fit to solve my issues with TOTP.

[–] [email protected] 2 points 10 months ago* (last edited 10 months ago) (2 children)

If you're insane this company makes hardware keys that you can implant under your skin and read via nfc https://dangerousthings.com/product/apex-flex/

(There is also a ring version if for some reason you don't want to shove a microchip inside you 🫣)

[–] [email protected] 1 points 10 months ago (1 children)

Let's *NOT* go that route.

I'm very much looking for a hardware key to avoid biometrics (I can have a field day expressing my opinions on those; but in general they tend to be the weakest MFA factor and most have known working bypasses based on photos).
This leans a little too close to that for me to consider, let alone all of the things you have to consider when putting implants in your body.

[–] [email protected] 2 points 10 months ago

Just wanted to add something different from the other posts, definately not recommending it.

That being said, it is a hardware key. You can set it up as a Fido2 key, making it as secure as any of the other options here, it is not biometrics.

Like I mentioned, you have to be a little crazy to go that route

[–] [email protected] 1 points 10 months ago (1 children)

Thanks for this, I’ve actually been seriously considering a microchip implant for a while, is it open source? I don’t want proprietary code inside me if I can help it.

I’ve had a magnet embedded in my pinky for about 7 years now. It’s wild fun having an extra sense, I’ve actually been planning its replacement as it’s gotten much weaker the last year or so. Neodymium magnets do eventually lose their charge, and heat causes it to happen faster.

[–] Para_lyzed 3 points 10 months ago* (last edited 10 months ago) (1 children)

It runs JavaCard OS, which is developed by Oracle and not open source. Even though it also runs JavaCard OS, I'd recommend the flexSecure JavaCard from Dangerous Things (for the same price as the Apex Flex), because all of its applets are open source: https://dangerousthings.com/product/flexsecure/. It isn't quite as "seamless", because it doesn't have the closed-source app store available for it that the Apex Flex does, but it instead uses open-source applets that you can load onto it. Regardless, either option will run a closed-source OS, but as far as secure verification goes (by using challenge-response instead of static keys which could be read and copied like old RFID tags), JavaCard is currently the best option. And as far as implantable chips go, the flexSecure JavaCard and the Apex Flex are the 2 best chips on the market to my knowledge.

The silver lining is that there are plenty of open source applets you can run on JavaCards (like the flexSecure ones written by Dangerous Things)

[–] [email protected] 2 points 10 months ago

Great answer, I will add that another major difference between the Apex Flex and the FlexSecure is the FlexSecure comes with factory default signing keys (which you can change), while the Apex Flex does not. This means you can't add your own applets the Apex Flex. Para_lyzed touched on this but I wanted to emphasize that the flexsecure gives you the ability to fully manage the implant while the Apex Flex doesn't. There are trade-offs of course.

[–] Telodzrum 2 points 10 months ago

I've been using a Yubikey for years and I'm quite happy.

[–] [email protected] 2 points 10 months ago

When I did some research on hardware keys I was between Yubikey and Nitrokey. I ended up going with Yubikey because KeepassXC supported it.

Something to keep in mind is purchasing a backup key. I bought one for my wife and we use each other's as a backup.

For KeepassXC it does not support registering multiple keys (at least not that I have figured out), so I have a copy of my database where it uses my wife's key as a backup.

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago)

Yubikey is kinda the gold standard IMO. Yes, I know google has their own titan something ~but the other one I know that can rival yubikey in terms of support and longevity would be nitrokey.~ Else I recommend making a poor man's security key using a keyfile and a flashdrive to secure your keepass database

Edit: forgot about nitrokey's overly sensational claims about a backdoor on Qualcomm chips a while back, that kinda stained my view on their company now. Just get a yubikey sure theres no firmware upgrades and whatnot but its good enough for now. Also heard good things about onlykeys

[–] [email protected] 1 points 10 months ago

I use a yubikey (couldn't chose, it's from work) and I have no issues with it working out of the box (endevour os). I just touch the "button" and it "types" the key.

[–] [email protected] -4 points 10 months ago* (last edited 10 months ago)

On average, Vatican has two popes per square kilometer.

EDIT: My bad, wrong thread.