undefined | Better HN

0 pointsgleenn3y ago0 comments

Solution is multiple yubikeys or printing out backup codes.

0 comments

How are you handling multiple Yubikeys? I'm doing it personally and it's so annoying that I can't imagine recommending this to anyone else. Since I'd hate to lose access to everything if my house burns down, I keep a key outside of the home. Of course, for that key to be useful, I need to update it whenever I use my key on a new site/service. Dropping everything to go fetch my key is inconvenient, so I keep multiple keys in the house. That way I can add two keys to a service and have a local backup in case one breaks. But, then I need to remember to actually add the off-site key to the account as well.

Maybe I should just round-robin the off-site key. It's just tedious to keep track of what's been registered with which key and making sure they're all in sync. I really wish there were a secure way to simply have a key backup.

Not to mention, this is kind of expensive and also non-obvious as Yubikey primarily sells single keys. I'd love to see wider adoption, but can't see the general population putting up with this.

avh023y ago

This has been what stops me from going full webauthn, instead right now I use 3 yubikeys with pass (password store) and encrypt with 3 separate gpg keys (one private key stored on each yubikey), I haven't touched one of the yubikeys in a year but I know that if I lose the other two it can still decrypt my passwords.

The disadvantage here is obviously it's just another password manager instead of taking full advantage of hardware tokens, but I want to be able to enroll passwords or tokens without the key present all the time. (Also, yubikeys have limited slots for keys)

zikduruqe3y ago

> this is kind of expensive and also non-obvious as Yubikey primarily sells single keys

Unless you need the GnuPG or SSH applets, I just use the $14 FIDO keys from Identiv. They are also NFC capable for my mobile devices also. I keep one at my office, one at home and carry one in my pack.

I too wish there were a way to keep them in sync or back them up.

Maybe a virtual FIDO key? https://github.com/bulwarkid/virtual-fido

wepple3y ago

Fireproof safe, and living in an area where the fire department would be able to get the fire under control fast enough that I would hopefully not need 1/10th of the capability of that safe.

Edit: also, if your house burns down, won’t you probably have your keys on you if you’re not home?

nirvdrum3y ago

Although these keys are intended to be stored on a keychain, I don't know of anyone that actually uses them that way. If you work remotely, there's just no need to have your keys on you most of the time. One of my keys is a 5C Nano and it just sits in the laptop all day long. So, if my house burns, I'm losing any keys in the house along with it.

As for a fireproof safe, I do have one, but they're rated for X hours and degrade over time. I should probably get a new one.

tke2483y ago

I had a good fireproof safe burn once it fused the sand or whatever material is between the layers of metal. I was never able to get back into it.

artdigital3y ago

I just have one in my drawer and one in my bag / always connected to my Mac

Then a printed backup sheets like 1password somewhere offsite (still needs master password to be usable)

microtheo3y ago

I use Windows hello and Apple passkey as secondary fido devices, isn’t that a valid method??

nirvdrum3y ago

Maybe? I really don't know. I dual-boot a Linux & Windows workstation and have a macOS laptop, so I haven't looked too deeply into platform-specific solutions. For now, I stick with Yubikeys. Complicating things further is for some accounts I'd like to give my wife access and she has her own keys and own devices. I've hit the key registration limit on some sites.

idontwantthis3y ago

The one time I had to use backup codes with Google they simply didn't work. Fortunately I was still logged on at my home comptuer.

j / k navigate · click thread line to collapse

0 comments

nirvdrum3y ago

Not to mention, this is kind of expensive and also non-obvious as Yubikey primarily sells single keys. I'd love to see wider adoption, but can't see the general population putting up with this.

avh023y ago

zikduruqe3y ago

> this is kind of expensive and also non-obvious as Yubikey primarily sells single keys

I too wish there were a way to keep them in sync or back them up.

Maybe a virtual FIDO key? https://github.com/bulwarkid/virtual-fido

wepple3y ago

Fireproof safe, and living in an area where the fire department would be able to get the fire under control fast enough that I would hopefully not need 1/10th of the capability of that safe.

Edit: also, if your house burns down, won’t you probably have your keys on you if you’re not home?

nirvdrum3y ago

As for a fireproof safe, I do have one, but they're rated for X hours and degrade over time. I should probably get a new one.

tke2483y ago

I had a good fireproof safe burn once it fused the sand or whatever material is between the layers of metal. I was never able to get back into it.

artdigital3y ago

I just have one in my drawer and one in my bag / always connected to my Mac

Then a printed backup sheets like 1password somewhere offsite (still needs master password to be usable)

microtheo3y ago

I use Windows hello and Apple passkey as secondary fido devices, isn’t that a valid method??

nirvdrum3y ago

idontwantthis3y ago

The one time I had to use backup codes with Google they simply didn't work. Fortunately I was still logged on at my home comptuer.

j / k navigate · click thread line to collapse