YubiKey alternatives

inomfood

Trezor Safe 3 is an open source device that supports FIDO2. It's traditionally a crypto wallet but the advantage to that is you don't need a second backup key, your seed phrase acts as a backup for the 2FA. If you lose it and purchase a new one, you can input the seed phrase and it will work the same as the previous trezor for getting into your accounts. I haven't actually tested whether it works with android yet, though. I've just used it on desktop.

Blastoidea

dregrinfuces
I’m glad to hear that someone else gets those cosmic ray strikes.

Sometimes I’m not sure if it is a real memory, or if I just made shit up.

Lukas

For a pair of NitroKey 3C NFC in total, it would be 135.98 euros. Is this reasonable?

OnlyKeys and SoloKeys aren't an option for me for several reasons.

izzy

Lukas Definitely interested in the discussion here for the same reasons in the OP.

I'm also interested in the "several reasons" you've discounted OnlyKeys and SoloKeys as options. Any chance you can elaborate on that point?

[deleted]

Lukas A fido key from yubikey costs $25, so a pair costs $50. That's a lot 135 but you're free to buy what you want. Otherwise, you have a "free" titan key in your pixel that can be configured.

Lukas

izzy I'm also interested in the "several reasons" you've discounted OnlyKeys and SoloKeys as options. Any chance you can elaborate on that point?

SoloKeys only supports U2F and FIDO2, but they cost the same as the alternatives, which have a lot more features.

OnlyKeys doesn't have any external third-party security audits, and they allow you to backup your keys to a file. In my opinion, nothing should leave the security key, which is the case with YubiKeys, SoloKeys, and NitroKeys.

Relaks

[deleted] Otherwise, you have a "free" titan key in your pixel that can be configured.

How?

Lukas

[deleted] A fido key from yubikey costs $25, so a pair costs $50.

I have no interest in security keys that will have to be trashed the moment a new important feature or security issue comes up, and on top of that, YubiKeys are entirely proprietary.

[deleted]

It's a real shame that Google passkeys aren't offered on grapheneos, it's a big step down in terms of security, but grapheneos users are supposed to have advanced knowledge of computer security. The best thing would be to have the passkey.

p338k

[deleted]

Third party providers will eventually be able to implement passkeys using the credential manager.

[deleted]

p338k Hasn't Bitwarden already implemented this?

p338k

[deleted]

I don't believe it has on mobile yet.

boldsuck

Lukas and they allow you to backup your keys to a file.

Same as NitroKey3 ;-)
You can export your config but not your resident (WebAuthn, GPG or SSH) keys. You can export imported GPG or SSH keys, but not ONKey generated.

After 10 incorrect Hardware PIN entries or 1 self-destruct PIN , the firmware and keys on the OnlyKey are deleted.

[deleted]

Lukas The most important thing about security keys is not whether they are open-source or not, but whether they can be used to block a connection.

boldsuck

Lukas I have no interest in security keys that will have to be trashed the moment a new important feature or security issue comes up

I bought a Yubikey twice (Neo + 5) and a few months later I was annoyed that they couldn't do certain features. You don't know what firmware you'll get before you buy.

See my post in onlykey.discourse: By the way: YubiKey sucks!

[deleted]

p338k I have configured my pixel 6a's titan security chip for my password manager.

[deleted]

But I'm wondering if bitwarden has passkey enabled. If anyone has the answer here?

p338k

[deleted]

I already answered that question above. Additionally, it has been answered in the new thread you created: https://discuss.grapheneos.org/d/10074-passkey

h4k3t

boldsuck So, out of all the keys you use, which you would recommend? Should I get a pair of such also or not? Thanks for the info.

boldsuck

h4k3t It's hard to say and depends on what you need most. Some tips:

e.g. firmware from Signet HC and Solo 1|Somu tiny was not further developed after the Kickstarter campaign. I'm afraid the same thing with solo2.
Therefore, I would only recommend Solo Hacker for developers & makers from Solokey.
(All manufacturers) NFC transmits only a small voltage and no time. TOTP therefore does not work over NFC and neither does strong de/encryption (or rather the chips for it).
OnlyKey is the only one I know of that has a device hardware PIN + self-destruction. (Adjustable: Config only or complete firmware.)
With the OnlyKey-Duo, the 6 numbers are emulated with 3 pins. (left, right or both & short press or long press) This is fiddly. Optional conf: Entering the PIN via the device software is insecure. (my opinion)
For setting FIDO2 PIN you need one-time the CLI utility on all keys. (Yubi, Nitro, Only) The rest of the config can also be easily done via the GUI.
FIDO2/WebAuthn, U2F works out of the box for all keys. OnlyKey and NitroKey3 can do a hell of a lot more. Crypto is hard, it takes time to understand all the options. But not everyone needs all the options.
Onlykey does not have a Smart card or OpenPGP card. OpenPGP support works via WebCrypt or with the trezor gpg agent.
Onlykey is just a small Kickstarter side project from CryptoTrust, but it is the only key I know whose firmware is constantly being developed further.
Nitrokey3 is just new, firmware (in the memory-safe programming language Rust) can't do everything yet e.g. OpenPGP smart card is experimental. But Nitrokey has a large development team + Solokeys and Nitrokey are together developing Trussed.
If you also need a hardware wallet for cryptocurrencies, a Trezor could also be interesting. He also has FIDO2/WebAuthn, U2F, Password Manager, OpenPGP support.
2FA accesses should have at least one backup. I have 2 or more hardware keys + OTP app for each account. Plus backup of OTP app + some keys.
NitroKey also sells Pixels with GrapheneOS and wants or has? ¯\_(ツ)_/¯ support GraphenOS.
I've important accounts or SSH keys only on Onlykey. They are safe there if they are lost or from officials when crossing the border.
I often carry laptops in my backpack. That's why I have a Nitrokey 3A Mini or Somu tiny in every laptop. For everyday FIDO2/WebAuthn, U2F accounts.

If you can afford 2 keys, I would recommend an Onlykey and a Nitrokey3. Unfortunately, both are often sold out. Since you can back up the keys, you don't have to buy them in pairs. If one is broken or lost, you can buy a new one later and import the backup. Then you can try out which keys you like. For example, some people don't like the USB-A Yubi- and Onlykeys. Onlykeys, Nitrokeys, Solokeys or Tresor can all be flashed with new firmware. So you can give them away if you don't like them. All 4 are open source with partially overlapping (forking, PR) development on GitHub.

Onlykey shipping from US to Germany/Europe is expensive. If there is a Kickstarter campaign or you can pay with bought cheaply crypto, then I always order 2-3 pieces.

The perfect key for me would be a NitroKey3 with hardware PIN. It could do everything I need (If the firmware is stable at some point. Month? Years?) and would be easy for me to buy in Germany.