My main issue with YubiKeys is that firmware is not updatable, so you have to buy a new YubiKey if there is a new firmware version that brings new features or security fixes.
My second issue is that firmware is proprietary, but that is less of an issue.
What are the best alternatives to YubiKeys? I'm only aware of NitroKeys and a few others.
YubiKey alternatives
Well, there's that unnamed evil corp Titan key:
I don't know anything more about it than what's in that article. But, I don't know if any of these kinds of devices will be flashable. I think I vaguely recall some mention of an open source firmware for such keys, but I just can't remember anything about it (or even if the memory is just from a random cosmic ray strike to my noggin).
[deleted]
dregrinfuces open source FIDO Key:
https://solokeys.com/collections/all
I have all: SoloKeys, NitroKey 3, OnlyKeys (open source) & YubiKeys (propritär and firmware becomes outdated after a short time)
I love & use hardware PIN protected OnlyKeys every day. Firmware upgrade for years, GPG backup and copy to 2nd key possible.
Lukas
You can have a look at below which I was looking at
It users open source app as well.
Let me know how you get on.
Thanks
Trezor Safe 3 is an open source device that supports FIDO2. It's traditionally a crypto wallet but the advantage to that is you don't need a second backup key, your seed phrase acts as a backup for the 2FA. If you lose it and purchase a new one, you can input the seed phrase and it will work the same as the previous trezor for getting into your accounts. I haven't actually tested whether it works with android yet, though. I've just used it on desktop.
dregrinfuces
I’m glad to hear that someone else gets those cosmic ray strikes.
Sometimes I’m not sure if it is a real memory, or if I just made shit up.
- Edited
For a pair of NitroKey 3C NFC in total, it would be 135.98 euros. Is this reasonable?
OnlyKeys and SoloKeys aren't an option for me for several reasons.
[deleted]
Lukas A fido key from yubikey costs $25, so a pair costs $50. That's a lot 135 but you're free to buy what you want. Otherwise, you have a "free" titan key in your pixel that can be configured.
[deleted]
It's a real shame that Google passkeys aren't offered on grapheneos, it's a big step down in terms of security, but grapheneos users are supposed to have advanced knowledge of computer security. The best thing would be to have the passkey.
[deleted]
p338k Hasn't Bitwarden already implemented this?
- Edited
izzy I'm also interested in the "several reasons" you've discounted OnlyKeys and SoloKeys as options. Any chance you can elaborate on that point?
SoloKeys only supports U2F and FIDO2, but they cost the same as the alternatives, which have a lot more features.
OnlyKeys doesn't have any external third-party security audits, and they allow you to backup your keys to a file. In my opinion, nothing should leave the security key, which is the case with YubiKeys, SoloKeys, and NitroKeys.
[deleted]
p338k I have configured my pixel 6a's titan security chip for my password manager.
[deleted]
Lukas The most important thing about security keys is not whether they are open-source or not, but whether they can be used to block a connection.
[deleted]
But I'm wondering if bitwarden has passkey enabled. If anyone has the answer here?