Which one would be the most secure one? I only know about YubiKey, but I was wondering if that is the most secure one or if there are better? (I would only use it with my Phone)

    DeletedUser34 changed the title to Which U2F Key is the most secure? .
    5 days later

    I always see that YubiKey get recommended but I was wondering if it is the best one available at the moment? I saw Nitrokey and others too but I'm not sure, which is best in terms of Security and Privacy.

      The firmware update feature is a potential attack vector as well. This is why Yubikey doesn't allow it. But, this makes Yubikeys potentially very expensive and problematic, because in case of a found bug, you need to buy new keys and migrate. You should have 2 or 3 keys, so it's potentially very expensive.

      Worth to mention, Yubikeys are smaller, and "waterproof" - IP68.

        Personally i have always leaned towards OnlyKeys Updatable firmware., encrypted behind a pin you enter on device, Easy to backup with encryption on any random device you plug them into

        and since they are so easy to back up you can have one spare unopened one in the closet and import a backup file you can easily make anytime you make a change to it.. if something happen to the main one you could be up and running again in 3 min literally.

          EmLeX932 I didn't know about OnlyKeys, they look great, so I did a quick research.
          Quick about functionality:

          • They have IP68
          • No NFC
          • No smart card functionality.
          • I can't find any good documentation about Passkeys support. Looks like it's doable, but 12 slots only? (latest Yubikeys have 128 slots)
          • Looks like you can't disable PIN for FIDO2. I need FIDO2 for 2nd factor, not 2nd and 3rd one.

          About security. It less secure but a lot easier to use. They kind of stretch the "security key" name. One of the main points of security keys is(!) that you can't back them up. This creates a separate problem of: where to store the backup pass phrase?

          But don't get me wrong, this key looks great for someone who doesn't want to juggle 2-3 keys - I can't imagine selling that to a normie. But OnlyKey? This could actually work. If it's family, and they would use it for 2nd factor only, then I could store the backup safely for them.

            Yes they are IP68 and they can handle alot. a dude tested its durability (youtube link)

            your right they have no NFC but ive not had the use for it, As for smart card functions im not totally sure what your referring too

            They do support fido2 resident credentials (username/password less login) if thats what you mean with passkey support and your right thats limited to 12 slots. for normal fido2 u2f logins where you have the username and password its unlimited.

            you can also push SSH keys up to this device etc

            I havent tried disabling the pin for FIDO2 so not sure if its possible

            Another great future is you get 24 username and password slots.. (spread with 12 each over 2 userprofiles if you set it up) you could have one to log in to your computer. store your email in another slot etc. and those also supports normal totp. (assisted TOTP) as the device cant remember time but you can set up udev rules to push it when you plug into computer or go to https://apps.crp.to to set it on any device you want

            As for securely storing the backup encryption passphrase. you only need to set it once on device initalisation and it could be a secure diceware password you store in your head..

            or you could use a wordphrase you could hash something and use the hash output as the passphrase, use a 12 word crypto seedphrase you back up the same way as your crypto seeds.. world is the limit honestly.

            the backups always are typed out encrypted so you can just type them out in your mail client and mail them to yourself if you want with no additional work

              EmLeX932 Unfortunately for me, remembering any kind of secure password is not possible, especially if there is no reason to type it regularly. For someone who could remember it, this device becomes very interesting as a Yubikey/Nitrokey alternative security-wise.

              Smartcard is a way to securely manage asymmetric cryptography. Not heaving it is not a security issue, it's just an extra feature. It's useful when:

              • you want to authenticate with an asymmetric key (OpenSSH)
              • you want to sign something, like email, documents, etc.
              • you want to encrypt something, like strong password. For example hard drive encryption key, or yes: OnlyKey backup key.

                  DeletedUser43
                  Ah i see. as for not remembering a backup passphrase.. you can refuse to set one and after setup lock down that none can ever be set unless you wipe everything and start over.. that way backups are not avalible at all and it works like a yubikey with addentional futures.

                  And for smartcards. you can push up a SSH key with ssh-keygen the same way you do to a yubikey. i think doing so takes up one of the credential slots tho.

                  GPG keys can also be stored on a onlykey fairly easy and there are a web based way to quickly encrypt and decrypt with keybase or you can use more advanced tools.

                  all in all i really like the device. but everyone has to look at their own security specs and what they need :)

                      EmLeX932

                      Or another idea is to do a middle thing and set up multiple at the same time in a live boot system where you randomly put in a long and secure password you generate from a random source . that way you have 1 or more copies setup to the same password you dont save. you then lock down backup password changes. and you have a set of onlykeys that works with the same backup files but none more can be set up

                        EmLeX932 Don't get me wrong, this is a great device, but the topic is about comparing security - not every use case requires strongest possible security. I think this is especially great middle ground for someone not willing to manage multiple keys, or could actually remember a strong password (use only for this one case, not in multiple places).

                        I get that you can store strings securely in OnlyKey, it could be useful feature for many things, but a Smartcard does all of this without possibility of reading the private key - all computation happens on device over standardize protocols. BTW. Yubikeys without Smartcard functionality are 2x cheaper.

                            DeletedUser43 I think this is especially great middle ground for someone not willing to manage multiple keys, or could actually remember a strong password (use only for this one case, not in multiple places).

                            Yea. Apologies for going a bit overboard with info. just felt like was important to get out too as part of discussion. Onlykeys can be set up in such a way that NO DATA can be pulled back out of them

                                I started taking notes on a side, here's my comparison table:

                                | Feature\Device.....| Yubikey..| Nitrokey..| OnlyKey..|
                                | Unique-unforgeable..| yes......| yes...... | no...... |
                                | Updatable.......... | no...... | yes...... | yes......|
                                | Smartcard.......... | yes......| yes...... | no...... |
                                | Passkeys............| 128......| 50?...... | 12?......|
                                | NFC................ | yes......| yes...... | no...... |
                                | IP68................| yes......| no........| yes......|
                                | Backup..............| no...... | no........| yes......|
                                | Long-term cost......| $$$......| $$........| $........|

                                EmLeX932 I'm getting into a territory which is over my head, but one last comment: Yubikey's and Nitrokey's main power is a hidden, unreadable, permanently fused (unchangeable) key, which is a base for all cryptography done by them. With them, you get a design which tries to give physical guarantee, they are unique and unfordable. I'm guessing here, but OnlyKey by allowing for an option to do back up, can't provide this property.

                                  DeletedUser43 The firmware update feature is a potential attack vector as well. This is why Yubikey doesn't allow it.

                                  I recall not having been able to find an official statement by Yubico on the topic of secure firmware upgrades. Would be interested in seeing a source for that last sentence.

                                      SerenityNow Well, I'll give you my opinion, I had a high threat model at a certain level and I changed jobs last years. Now I use an iPhone because my wife decided to have an iPad and you know when you set foot in it it's over... in short I still had my fido keys and my basic security procedures, and then a few months ago we had our personal data stolen from Free including iban. I went to my banker to see what we could do and he clearly told me that without my signature no one can withdraw money from my account even with an iban! So no... following this appointment I decided to let go of a lot of leste and abandon my fido keys, and to keep only the simplest: double authentication with phone number or passkey when it is available. I rely on the security of my phone which is the best thing to do with Google pixels.