News about Fido2 compatibility?
dirksche You can't go wrong with a Yubikey. As far as I know, it has the highest compatibility with the various services.
YubiKeys don't support firmware updates, so you're stuck with whatever firmware (and bugs/exploits) the device shipped with. Next to preferring Open Source it's my main reason not to go with a YubiKey.
Regarding OP it looks like you're out of luck as currently OnlyKeys won't work for your use case. You could create a user profile with Sandboxed Play Services exclusively for the apps and websites you use with your OnlyKey, but I guess it's not a good solution for you (it wouldn't be what I want at least)...
N1b Tha
N1b YubiKeys don't support firmware updates, so you're stuck with whatever firmware (and bugs/exploits) the device shipped with.
There are a lot of rasons why I don't want to use a Yubikey. This is one more. But I did want to keep my answer short. There are a lot of pages that compares the different keys. I think we don't need one more.
N1b Regarding OP it looks like you're out of luck as currently OnlyKeys won't work for your use case
Bad luck. But is it possible to use it at simple 2fa?
N1b You could create a user profile with Sandboxed Play Services exclusively for the apps and websites you use with your OnlyKey, but I guess it's not a good solution for you
You are totally right about that. It's no option for me.
To prevent attacks on the YubiKey which might compromise its security, the YubiKey does not permit its firmware to be accessed or altered.
https://support.yubico.com/hc/en-us/articles/360013708760-YubiKey-Firmware-Is-Not-Upgradeable
mmmm https://onlykey.discourse.group/t/onlykeys-future/1221/2?u=mango_mungo
But that will take some time (possibly 1-2 years), Onlykey is a small 3-man Kickstarter project.
dirksche I don't know if I understood the question, but you can use one key on multiple devices.
I've never used Paypal, but many sites have a similar 2FA/MFA setup:
(Important: With 2FA there is no option like password reset! That's why a backup is always necessary on 2 or more hardware keys or an OTP APP).
- Enable TOTP (often called 'Google Authenticator' in instructions)
- Generate recovery-codes. Which you have to save safely!
- Then you can add U2F and or WebAuthn/FIDO2 devices.
I can only say what is most practical for me. A hardware key in every laptop and an OTP app on the phones.
andOTP is unfortunately no longer being developed further. Some users in this forum use Aegis and FreeOTP+.
We recently had a thread about hardware keys and the difficulty of using them without Play Services.
I would also love to see GOS incorporate a FIDO2 library into Vanadium for security key use. Currently, I use my yubikey to unlock keepass2android and as a TOTP method, but being able to use the FIDO/Webauthen without GPS would be amazing.
- Edited
boldsuck Sorry that my question was a liitle bit confusing.
I will try again. For example: on my laptop I secure a Login with my OnlyKey. Then I have to use the same Login on my Smartphone with GOS, which doesn't support the OnlyKey. Can I set/add a different and alternative methode like OTP so that I be able to login on my mobile device?
chock-a-block In the past, they said a FIDO2 implementation developed by GrapheneOS would only use the the Titan M chip, not USB/NFC/BT
Yes, you can. With PayPal - if you activate two-step verification - it's even necessary to set up OTP as an alternative to security keys because unfortunately at the moment you can only store one security key with PayPal - for this alone it is necessary to have an alternative access option if you lose the security key.
You can set up the second factor in your PayPal account under settings>security>two-step verification.