SerenityNow Well, I'll give you my opinion, I had a high threat model at a certain level and I changed jobs last years. Now I use an iPhone because my wife decided to have an iPad and you know when you set foot in it it's over... in short I still had my fido keys and my basic security procedures, and then a few months ago we had our personal data stolen from Free including iban. I went to my banker to see what we could do and he clearly told me that without my signature no one can withdraw money from my account even with an iban! So no... following this appointment I decided to let go of a lot of leste and abandon my fido keys, and to keep only the simplest: double authentication with phone number or passkey when it is available. I rely on the security of my phone which is the best thing to do with Google pixels.

      Guillaume And it has nothing to do with the discussion but I would like to take the opportunity to point out that ProtonPass is on sale with a unique and LIFEtime offer!

        DeletedUser34

        Back in May 2024 a GrapheneOS developer mentioned the Trezor Safe 3 as what they consider a more secure alternative to FIDO2 with Yubikeys (source).

        Quote:

        https://trezor.io/trezor-safe-3 has a decent secure element and can be used for FIDO2, and using it requires unlocking it with a PIN with secure element enforcing a max attempt limit

        that's not the main purpose of that but it can be used for FIDO2, SSH, PGP and other things like that despite it not being the main use

            fid02 Outside of it main purpose, the documentation is terrible. Someone please send sources if I'm wrong somewhere.
            It's an interesting device for u2f if you already use it for crypto, but it's more lie OnlyKey than Yubikey or Nitrokey.

            It's not unique and unforgeable. It has a secure element, but the main key is not derived from unreadable hidden key, but from a dice password you remember. So in practice everything I talked about OnlyKey applies.
            No NFC, not waterproof. There is some documentation on GPG, but it looks like it doesn't work as standard Smartcard. Isn't it only a backup for GPG stored inhome directory?

            Updated table:

            | Feature\Device......| Yubikey..| Nitrokey..| OnlyKey..| Trezor..|
            | Unique/unforgeable..| yes......| yes...... | no...... | no......|
            | Updatable.......... | no...... | yes...... | yes......| yes.... |
            | Smartcard.......... | yes......| yes...... | no...... | no......|
            | Passkeys............| 128......| 50?...... | 12?......| no?.... |
            | NFC................ | yes......| yes...... | no...... | no......|
            | IP68................| yes......| no........| yes......| no......|
            | Backup..............| no...... | no........| yes......| yes.... |
            | Long-term cost......| $$$......| $$........| $........| $...... |

                DeletedUser43 I deliberately didn't comment on the practicality of Trezors as FIDO keys, seeing as the original post was asking about security features. Thought it would be nice to quote a security researcher on the matter, as my own insight into hardware security is severely restricted. But I agree with you on the practical challenges of using a Trezor if you're intending to carry a key around with you wherever you go, indoors and outdoors; it's clearly not designed for that practical purpose.

                  10 days later

                  I'm still unsure what to buy and use. Maybe @GrapheneOS can explain about Trezor Safe 3 and why I should buy it, instead of for example Yubikey. Because I wanted to buy it before, but now I'm unsure of this decision...

                  Guillaume
                  Change your bank cher ami , you don't need a proper signature to make a Sepa mandate.
                  Everything get leaked from Free, including your signature you put on your contract and sepa mandate.
                  If you don't want to change your bank, at least enable a sepa white list.

                    DeletedUser34 You asked which one is the most secure one. Maybe you should describe what you want to use it for?

                    • FIDO?
                    • SmartCards?
                    • PassKeys?
                    • Crypto?
                    • Are you willing to maintain 2-3 keys, or would you like to be able to do a backup?
                    • Would you like to have NFC for a little quicker use with a smartphone?

                        DeletedUser43 I want to use it as U2F Key and only with my Phone. And maybe Passkeys, but I don't think, that I will use it. What is SmartCards? And no Crypto or NFC for me. No, I would only buy one Key.

                            DeletedUser34 We've explained at length what a SmartCard is in this discussion.

                            Take a look at the table I've prepared. The best fit is the OnlyKey, which @EmLeX932 recommends. If you don't know what a SmartCard is, then you don't need it. If you want a backup, then Yubikey and Nitrokeys are out. If you don't need crypto, then OnlyKey will give you IP68 and PassKey support instead.

                              21 days later