Security Keys

RedHenry

I've seen posts started last year (2023) about this topic. I would like to be informed of any updates. I am interested in using a security key for U2F verification instead of SMS. Any one have anything to say about this?

YubiKey?

TheGodfather

RedHenry Any one have anything to say about this?

We can't read your mind. Ask a proper question are leave it.

raccoondad

RedHenry Security keys for U2F already exist and are widely used for years now? I have a Yubikey, they are nice

Can store passwords on the more fancier models, good for maybe something like a password manager

You can grab a Yubikey on Amazon.

How they work is based on different protocols, but FIDO2 uses a signature challenge.

Your yubikey has a private key, the service you are trying to login knows your public and associates it with your account.

When you login, it asks for a signature. If your Yubikey can generate one using the private key, you are authenticated. Otherwise, you aren't

boldsuck

RedHenry I wrote something here:
https://discuss.grapheneos.org/d/10000-yubikey-alternatives/25
OTP app on the phone or build in key, USB keys in the laptop.

RedHenry

Perhaps I am assuming we aknow about plug in USB type type gadgets for security minded intent to verify ourselves when we log into an account. They go by many names but they are all the same thing. A YubiKey is one. This little gadget allows us to not rely on SMS or code sent by Email to authenticate when logging onto bank apps or most apps in general. I don't know how they work but I am interested in learning how to be more secure with my online presense. Avoid the MITM attacks and the such.

raccoondad

RedHenry Also "They go by many names but they are all the same thing." is not true. Even each yubikey is different.

Different USB standards, different authentication standards, and different levels of security. Some are FOSS some are proprietary. Some have attention some don't.

These are all factors when buying a U2F key

RedHenry

On previous posts here, I've read that some users have extreme trouble with them. Some say we have to have Google services enabled first, I will not enlist Google into my life just yet. Most of the instruction posts are from last year and list problems. Are things different now? Has GOS made enabling a security key easier?
One poster said they wanted one to log into Vanadium....don't quite understand that one. I want one to log into my banking accounts or any account with personal info like emails, vpns and such. One key will work for everything? Right?
I know I need to YouTube this further. I just wanted to know if GOS would easily allow this feature.

raccoondad

RedHenry Security keys don't work on GOS as far as I am concerned, sadly (Edit: it seems to work with Google services now)

" I want one to log into my banking accounts or any account with personal info like emails, vpns and such.", most banks, emails, and VPNs don't support U2F

"One key will work for everything? Right?", usually U2F is FIDO2. But no, most accounts will not work with a yubikey or U2F in general because they don't support U2F

There is a limited number of services that support U2F authorization. Some services like Paypal, discord, etc., but not many compared to the amount of accounts a user would have.

Relaks

FIDO2 and FIDO U2F are different standards. They are not the same. People seem to confound the two. U2F is used for 2FA and is supported by Play Services. U2F works on GrapheneOS with Sandboxed Google Play.

FIDO2 can be password-less and can be used as a single factor. FIDO2 is supported by Play Services. This includes FIDO2 passkeys on security keys. Passkeys are not supported on GrapheneOS at this time and currently does not work with or without Sandboxed Google Play.

TheGodfather

Relaks Passkeys are not supported on GrapheneOS at this time and currently does not work with or without Sandboxed Google Play.

Are you sure? One user reported working passkeys with a password manager - I think it was 1password - on GrapheneOS.

boldsuck

Relaks FIDO2 is password-less and is used as a single factor.

FIDO2 CAN be password-less and CAN be used as a single factor but MUST not.

Yubico authentication-standards FIDO2
FIDO2 is the evolution of FIDO U2F, and offers the same improved level of security based on public key cryptography. FIDO2 offers expanded authentication options including strong single factor (passwordless), two factor, and multi-factor authentication.

I only use FIDO2 as 2FA for logins or SSH keys.

Passkeys are sec keys in cloud = other peoples devices. :-(

p338k

TheGodfather

I believe the correct statement is "Google Password Manager does not support passkeys on GrapheneOS."

trilogy6202

p338k & TheGodfather

AFAIK neither FIDO2 or FIDO U2F works on GOS at all without GPS installed. I would love to be proven wrong though as I would like to be able to use a YubiKey or similar as 2nd factor for Bitwarden.

Relaks

TheGodfather FIDO2 passkeys on security keys. Issue is tracked in the issue tracker: https://github.com/GrapheneOS/os-issue-tracker/issues/2903

Passkeys with a third-party password manager works because Play Services and Chromium supports it without requiring a Google-certified OS. I'm probably the person you are referring to.

trilogy6202 AFAIK neither FIDO2 or FIDO U2F works on GOS at all without GPS installed.

Yes, that's what I wrote in the post above.

p338k

trilogy6202

I believe that applications can support FIDO2 without GPS. They simply don't.

Relaks

boldsuck Thank you. I misread and then misinformed people. Unfortunately I can't edit my post any longer.

spring-onion

Should be good now.