undefined | Better HN

0 pointsBeltalowda4y ago0 comments

But then I need to buy a YubiKey (€45), and set it up on my Linux machines which seems to require some PAM stuff, and lose one of the two USB ports on my laptop, and carry it around, and make a plan for when I lose it or when it breaks.

And the advantage is ... I don't know? If you have a strong random non-reused password I'm not seeing any. The only hypothetical advantage is when someone compromises your email account or desktop, but support departments tend to just reset 2FA if asked, so it's not actually a protection.

0 comments

1 comments · 1 top-level

deadbunny4y ago

No need for "PAM stuff" on Linux, plug it in and it's ready to use as a 2FA webauthn device. I think you can use it for PAM but I've never tried.

You can set it up as a GPG smart card if you're that way inclined (which also means you can use it as an SSH private key as well). The advantage there is that your private keys are never on your machine which means they stay secure even if your machine is compromised which is nice.

As for MFA (YubiKey or otherwise), I believe the "hassle" is worth the inconvenience. It means that of my (single site, very complex) passwords are compromised in any way my accounts will remain secure long enough for me to change passwords.

j / k navigate · click thread line to collapse