- Edited
I've seen posts started last year (2023) about this topic. I would like to be informed of any updates. I am interested in using a security key for U2F verification instead of SMS. Any one have anything to say about this?
YubiKey?
I've seen posts started last year (2023) about this topic. I would like to be informed of any updates. I am interested in using a security key for U2F verification instead of SMS. Any one have anything to say about this?
YubiKey?
RedHenry Any one have anything to say about this?
We can't read your mind. Ask a proper question are leave it.
Perhaps I am assuming we aknow about plug in USB type type gadgets for security minded intent to verify ourselves when we log into an account. They go by many names but they are all the same thing. A YubiKey is one. This little gadget allows us to not rely on SMS or code sent by Email to authenticate when logging onto bank apps or most apps in general. I don't know how they work but I am interested in learning how to be more secure with my online presense. Avoid the MITM attacks and the such.
RedHenry Security keys for U2F already exist and are widely used for years now? I have a Yubikey, they are nice
Can store passwords on the more fancier models, good for maybe something like a password manager
You can grab a Yubikey on Amazon.
How they work is based on different protocols, but FIDO2 uses a signature challenge.
Your yubikey has a private key, the service you are trying to login knows your public and associates it with your account.
When you login, it asks for a signature. If your Yubikey can generate one using the private key, you are authenticated. Otherwise, you aren't
RedHenry Also "They go by many names but they are all the same thing." is not true. Even each yubikey is different.
Different USB standards, different authentication standards, and different levels of security. Some are FOSS some are proprietary. Some have attention some don't.
These are all factors when buying a U2F key
On previous posts here, I've read that some users have extreme trouble with them. Some say we have to have Google services enabled first, I will not enlist Google into my life just yet. Most of the instruction posts are from last year and list problems. Are things different now? Has GOS made enabling a security key easier?
One poster said they wanted one to log into Vanadium....don't quite understand that one. I want one to log into my banking accounts or any account with personal info like emails, vpns and such. One key will work for everything? Right?
I know I need to YouTube this further. I just wanted to know if GOS would easily allow this feature.
RedHenry Security keys don't work on GOS as far as I am concerned, sadly (Edit: it seems to work with Google services now)
" I want one to log into my banking accounts or any account with personal info like emails, vpns and such.", most banks, emails, and VPNs don't support U2F
"One key will work for everything? Right?", usually U2F is FIDO2. But no, most accounts will not work with a yubikey or U2F in general because they don't support U2F
There is a limited number of services that support U2F authorization. Some services like Paypal, discord, etc., but not many compared to the amount of accounts a user would have.
RedHenry I wrote something here:
https://discuss.grapheneos.org/d/10000-yubikey-alternatives/25
OTP app on the phone or build in key, USB keys in the laptop.
FIDO2 and FIDO U2F are different standards. They are not the same. People seem to confound the two. U2F is used for 2FA and is supported by Play Services. U2F works on GrapheneOS with Sandboxed Google Play.
FIDO2 can be password-less and can be used as a single factor. FIDO2 is supported by Play Services. This includes FIDO2 passkeys on security keys. Passkeys are not supported on GrapheneOS at this time and currently does not work with or without Sandboxed Google Play.
Relaks Passkeys are not supported on GrapheneOS at this time and currently does not work with or without Sandboxed Google Play.
Are you sure? One user reported working passkeys with a password manager - I think it was 1password - on GrapheneOS.
I believe the correct statement is "Google Password Manager does not support passkeys on GrapheneOS."
AFAIK neither FIDO2 or FIDO U2F works on GOS at all without GPS installed. I would love to be proven wrong though as I would like to be able to use a YubiKey or similar as 2nd factor for Bitwarden.
I believe that applications can support FIDO2 without GPS. They simply don't.
TheGodfather FIDO2 passkeys on security keys. Issue is tracked in the issue tracker: https://github.com/GrapheneOS/os-issue-tracker/issues/2903
Passkeys with a third-party password manager works because Play Services and Chromium supports it without requiring a Google-certified OS. I'm probably the person you are referring to.
trilogy6202 AFAIK neither FIDO2 or FIDO U2F works on GOS at all without GPS installed.
Yes, that's what I wrote in the post above.
Relaks FIDO2 is password-less and is used as a single factor.
FIDO2 CAN be password-less and CAN be used as a single factor but MUST not.
Yubico authentication-standards FIDO2
FIDO2 is the evolution of FIDO U2F, and offers the same improved level of security based on public key cryptography. FIDO2 offers expanded authentication options including strong single factor (passwordless), two factor, and multi-factor authentication.
I only use FIDO2 as 2FA for logins or SSH keys.
Passkeys are sec keys in cloud = other peoples devices. :-(
Should be good now.