My main issue with YubiKeys is that firmware is not updatable, so you have to buy a new YubiKey if there is a new firmware version that brings new features or security fixes.
 
My second issue is that firmware is proprietary, but that is less of an issue.
 
What are the best alternatives to YubiKeys? I'm only aware of NitroKeys and a few others.

  • ntop replied to this.

    Well, there's that unnamed evil corp Titan key:

    https://www.zdnet.com/article/hands-on-with-googles-new-titan-security-keys-and-why-they-still-have-their-place/

    I don't know anything more about it than what's in that article. But, I don't know if any of these kinds of devices will be flashable. I think I vaguely recall some mention of an open source firmware for such keys, but I just can't remember anything about it (or even if the memory is just from a random cosmic ray strike to my noggin).

      I have all: SoloKeys, NitroKey 3, OnlyKeys (open source) & YubiKeys (propritär and firmware becomes outdated after a short time)
      I love & use hardware PIN protected OnlyKeys every day. Firmware upgrade for years, GPG backup and copy to 2nd key possible.

      Lukas
      You can have a look at below which I was looking at

      https://onlykey.io/

      It users open source app as well.

      Let me know how you get on.

      Thanks

      Trezor Safe 3 is an open source device that supports FIDO2. It's traditionally a crypto wallet but the advantage to that is you don't need a second backup key, your seed phrase acts as a backup for the 2FA. If you lose it and purchase a new one, you can input the seed phrase and it will work the same as the previous trezor for getting into your accounts. I haven't actually tested whether it works with android yet, though. I've just used it on desktop.

      dregrinfuces
      I’m glad to hear that someone else gets those cosmic ray strikes.

      Sometimes I’m not sure if it is a real memory, or if I just made shit up.

      • Edited

      For a pair of NitroKey 3C NFC in total, it would be 135.98 euros. Is this reasonable?

      OnlyKeys and SoloKeys aren't an option for me for several reasons.

        Lukas Definitely interested in the discussion here for the same reasons in the OP.

        I'm also interested in the "several reasons" you've discounted OnlyKeys and SoloKeys as options. Any chance you can elaborate on that point?

          • [deleted]

          Lukas A fido key from yubikey costs $25, so a pair costs $50. That's a lot 135 but you're free to buy what you want. Otherwise, you have a "free" titan key in your pixel that can be configured.

            • [deleted]

            It's a real shame that Google passkeys aren't offered on grapheneos, it's a big step down in terms of security, but grapheneos users are supposed to have advanced knowledge of computer security. The best thing would be to have the passkey.

              [deleted] Otherwise, you have a "free" titan key in your pixel that can be configured.

              How?

              [deleted]

              Third party providers will eventually be able to implement passkeys using the credential manager.

                • [deleted]

                p338k Hasn't Bitwarden already implemented this?

                  • Edited

                  izzy I'm also interested in the "several reasons" you've discounted OnlyKeys and SoloKeys as options. Any chance you can elaborate on that point?

                  SoloKeys only supports U2F and FIDO2, but they cost the same as the alternatives, which have a lot more features.

                  OnlyKeys doesn't have any external third-party security audits, and they allow you to backup your keys to a file. In my opinion, nothing should leave the security key, which is the case with YubiKeys, SoloKeys, and NitroKeys.

                    [deleted] A fido key from yubikey costs $25, so a pair costs $50.

                    I have no interest in security keys that will have to be trashed the moment a new important feature or security issue comes up, and on top of that, YubiKeys are entirely proprietary.

                      • [deleted]

                      p338k I have configured my pixel 6a's titan security chip for my password manager.

                      • [deleted]

                      Lukas The most important thing about security keys is not whether they are open-source or not, but whether they can be used to block a connection.

                      • [deleted]

                      But I'm wondering if bitwarden has passkey enabled. If anyone has the answer here?