Pages:
Author

Topic: 2FA HW security keys, Yubikey&such. (Read 1097 times)

newbie
Activity: 23
Merit: 853
May 12, 2021, 10:20:46 AM
#45
bump
newbie
Activity: 23
Merit: 853
November 03, 2020, 01:57:12 AM
#44
In terms of mechanical  strength Yubikey 5 USB-A has the  linchpin. When you plug the key horizontally  into USB port and accidentally push it  down with force while touching golden plate it   bends  and may break down.  To prevent this I plug the key only vertically and touch it on both sides so as not to bend
In any case, the yubikey looks much stronger and more durable than the teresor. It would be nice to get the Trezor developers to think about improving their devices a bit so that they don't look like empty plastic boxes.

It would be great if the Trezor was also completely monolithic.

Agree, Yubkey 5 is strong enough if you don’t try to bend it. I think it’s also well protected from moisture and can work even after it’s been in the water (although I didn’t check it out). Yibikey 5 USB-C is even more stronger than USB-A because it has the metal shell around its USB connector. I don't have Trezor, I have Ledger and it also has the option to install U2F and use it for authentication  but I prefer Yubikey to do this.
newbie
Activity: 23
Merit: 853
October 31, 2020, 06:51:55 AM
#42
Special leather covers are sold for the Trezor, they certainly increase its mechanical strength, but still, in terms of strength, it loses much to the yubikey.  And i think even if the Trezor will is in a leather case and someone weighing over 200 pounds steps on it with their heels, not even a leather case will help him.

In terms of mechanical  strength Yubikey 5 USB-A has the  linchpin. When you plug the key horizontally  into USB port and accidentally push it  down with force while touching golden plate it   bends  and may break down.  To prevent this I plug the key only vertically and touch it on both sides so as not to bend




newbie
Activity: 23
Merit: 853
October 28, 2020, 03:59:58 AM
#34
Another point  in favor of using  for authorization purpose HW security keys instead of Trezor (or Ledger)  is that the latter has more electronics components inside (display itself and  related biasing circuits it requires) thereby wallets in general are less reliable devices, so  one shouldn't trust them  his/her accounts, could fail at any time.
newbie
Activity: 23
Merit: 853
October 24, 2020, 10:45:56 AM
#32


yubikeys dont have a usb controller chip afaik (according to yubikey anyway, its a custom deal as it doesnt need full usb functionality) so its immune.



USB interface in yubikey is CCID.  Devices with such  type of USB interface are vulnerable to BadUSB attack in only one case when their  firmware update is allowed. Firmware update is disabled for  Yubikey  and there is no way to do it thereby the device doesn't inherently have BadUSB vulnerability, it's immune as you said.  
newbie
Activity: 23
Merit: 853
October 23, 2020, 08:25:58 AM
#29
Yubikey is great - I bought my first Yubikey back in 2016, but the problem is that I didn't fasten it to my keychain and ended up losing it after a couple of months. Since then, I regularly use my Trezor as a second factor. If someone is not in the know, then I remind you that any Trezor, in addition to the function of a wallet for cryptocurrencies, can be used as a second factor for authentication. Very convenient indeed.

yes, trezor is a good backup to a yubikey.

of course i like having several yubikeys for just such a situation.. lost or broken although it seems awful tough to break.

also a yubikey doesnt scream "crypto" if you use it in public for 2fa.

another advantage a yubikey has over a trezor -- no bad usb infection possible. which i believe (not entirely sure) a trezor is susceptible to.

i use both btw

Agree, having two or even three  instances of yubikey is a good practice to be prepared for accidental loss or failure. I have two of them, one as backup. One of multiple  advantages of Yubikey 5 over Trezor or Ledger is that it offers  plenty of authentication protocols that  should cover  industry's needs for years. It is far more innovative than those keys that were built in 2016.
full member
Activity: 742
Merit: 103
November 02, 2020, 11:37:36 AM
#28
In terms of mechanical  strength Yubikey 5 USB-A has the  linchpin. When you plug the key horizontally  into USB port and accidentally push it  down with force while touching golden plate it   bends  and may break down.  To prevent this I plug the key only vertically and touch it on both sides so as not to bend
In any case, the yubikey looks much stronger and more durable than the teresor. It would be nice to get the Trezor developers to think about improving their devices a bit so that they don't look like empty plastic boxes.

It would be great if the Trezor was also completely monolithic.
full member
Activity: 742
Merit: 103
October 31, 2020, 02:20:26 AM
#27
Special leather covers are sold for the Trezor, they certainly increase its mechanical strength, but still, in terms of strength, it loses much to the yubikey.  And i think even if the Trezor will is in a leather case and someone weighing over 200 pounds steps on it with their heels, not even a leather case will help him.
legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
October 30, 2020, 06:33:52 PM
#26
but step on a trezor vs step on a yubikey. yeah no contest.

There's also a metallic one (made from aluminium), this might be fine when stepped on but it's expensive compare to every other hardware wallet on the market.

oops forgot that one. i did want a couple when i saw them too.
legendary
Activity: 3472
Merit: 1724
October 30, 2020, 06:14:53 PM
#25
but step on a trezor vs step on a yubikey. yeah no contest.

There's also a metallic one (made from aluminium), this might be fine when stepped on but it's expensive compared to every other hardware wallet on the market.
legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
October 30, 2020, 11:07:00 AM
#24
The yubikey is small and very tight to the touch, and really has nothing to break unless it is exposed to very high temperatures. Therefore, in terms of reliability, it is great.

He is not afraid of water, he is not afraid of falls even from great heights. The same cannot be said about Trezor.

If the Trezor gets caught in heavy rain or falls into the water, then everything will be over with him. Therefore, they are both good, but each in their own area.


fresh or grey water in a trezor may not kill it if dried/cleaned properly. yubikey doesnt care of course.

but step on a trezor vs step on a yubikey. yeah no contest. but ive dropped a trezor from like 4 or 5 feet dozens of times too.
full member
Activity: 742
Merit: 103
October 30, 2020, 10:58:56 AM
#23
The yubikey is small and very tight to the touch, and really has nothing to break unless it is exposed to very high temperatures. Therefore, in terms of reliability, it is great.

He is not afraid of water, he is not afraid of falls even from great heights. The same cannot be said about Trezor.

If the Trezor gets caught in heavy rain or falls into the water, then everything will be over with him. Therefore, they are both good, but each in their own area.
sr. member
Activity: 1162
Merit: 450
October 28, 2020, 07:59:03 AM
#22
Am I right in understanding that the most functional and convenient to date is the Yubico YubiKey 5 NFC security key?

yes, yubico are currently leading here. i would recommend to test couple different models since they have different workflows (nfc/port)

Not unless a user wanted to have a more useful security key such as using Ledger and Trezor as their 2FA physical key -- in which is much expensive yet the features and use, even the security measures, can be the same level as the YubiKey but on the upper hand when it comes to being a hardware wallet as well (which is really their focus). Hence, if the user were more onto cryptocurrencies and a security-sensitive with his holdings, yet a little wanted to be secured in passwords per se, I guess Ledger and Trezor are better. (just my .69 cents)
legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
October 28, 2020, 05:14:52 AM
#21
Another point  in favor of using  for authorization purpose HW security keys instead of Trezor (or Ledger)  is that the latter has more electronics components inside (display itself and  related biasing circuits it requires) thereby wallets in general are less reliable devices, so  one shouldn't trust them  his/her accounts, could fail at any time.

true but the trezor allows written seed based backup of your 2fa master code (whatever you call it). it can be recreated on another trezor, if needed. once a yubikey is toast you need a another that was already registered to that account/device/whatever, or some other secondary way to get in. then delete the old hardware key and add a new one. whereas a new trezor restored with the seed acts exactly like the old one. plug it in and go.

trezor makes a great backup to a yubikey imo. both have strengths and weaknesses as far as 2FA.

legendary
Activity: 3472
Merit: 1724
October 24, 2020, 06:43:54 PM
#20
are we talking about the same badusb here? badusb infects the usb chip itself, not the regular firmware of the device. so no approving bad bootloader etc, it just happens without user intervention.. poof the usb controler chip in the trezor  is now compromised.. it can make the usb chip into any HID device it wants. it can emulate a keyboard for instance, and send keystrokes. or make itself look like a mass storage device and send a file. all with the trezor otherwise acting fine and with genuine firmware. as its the usb chip thats infected, not the trezor attached to the usb chip.

https://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

yubikeys dont have a usb controller chip afaik (according to yubikey anyway, its a custom deal as it doesnt need full usb functionality) so its immune.

perhaps my data is out of date?

There are several BadUSB attacks and not all controllers are vulnerable, Trezors have been pretty extensively tested/attacked/audited, none of the attacks to date involve BadUSB so I imagine it's safe in this regard.
legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
October 24, 2020, 05:56:59 AM
#19
also a yubikey doesnt scream "crypto" if you use it in public for 2fa.

I don't know, how many yubikeys were sold in total compared with Trezors?

another advantage a yubikey has over a trezor -- no bad usb infection possible. which i believe (not entirely sure) a trezor is susceptible to.

BadUSB is unlikely, the user would have to be socially engineered to ignore bootloader warnings at every step and even after changing firmware to a malicious one. The warnings about unsigned firmware won't disappear because the bootloader is in a write-protected area. The attack would be easier to conduct if Satoshi Labs was compromised, and afaik multiple people have to sign the firmware.

yubikeys vs trezors? no hard data but id imagine yubikeys far outnumber trezors.. yubikeys can be for work, computer logins, banking, email login etc.

are we talking about the same badusb here? badusb infects the usb chip itself, not the regular firmware of the device. so no approving bad bootloader etc, it just happens without user intervention.. poof the usb controler chip in the trezor  is now compromised.. it can make the usb chip into any HID device it wants. it can emulate a keyboard for instance, and send keystrokes. or make itself look like a mass storage device and send a file. all with the trezor otherwise acting fine and with genuine firmware. as its the usb chip thats infected, not the trezor attached to the usb chip.

https://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

yubikeys dont have a usb controller chip afaik (according to yubikey anyway, its a custom deal as it doesnt need full usb functionality) so its immune.

perhaps my data is out of date?
legendary
Activity: 3472
Merit: 1724
October 24, 2020, 03:43:29 AM
#18
also a yubikey doesnt scream "crypto" if you use it in public for 2fa.

I don't know, how many yubikeys were sold in total compared with Trezors?

another advantage a yubikey has over a trezor -- no bad usb infection possible. which i believe (not entirely sure) a trezor is susceptible to.

BadUSB is unlikely, the user would have to be socially engineered to ignore bootloader warnings at every step and even after changing firmware to a malicious one. The warnings about unsigned firmware won't disappear because the bootloader is in a write-protected area. The attack would be easier to conduct if Satoshi Labs was compromised, and afaik multiple people have to sign the firmware.
legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
October 23, 2020, 07:12:51 AM
#17
Yubikey is great - I bought my first Yubikey back in 2016, but the problem is that I didn't fasten it to my keychain and ended up losing it after a couple of months. Since then, I regularly use my Trezor as a second factor. If someone is not in the know, then I remind you that any Trezor, in addition to the function of a wallet for cryptocurrencies, can be used as a second factor for authentication. Very convenient indeed.

yes, trezor is a good backup to a yubikey.

of course i like having several yubikeys for just such a situation.. lost or broken although it seems awful tough to break.

also a yubikey doesnt scream "crypto" if you use it in public for 2fa.

another advantage a yubikey has over a trezor -- no bad usb infection possible. which i believe (not entirely sure) a trezor is susceptible to.

i use both btw
full member
Activity: 742
Merit: 103
October 23, 2020, 07:05:36 AM
#16
Yubikey is great - I bought my first Yubikey back in 2016, but the problem is that I didn't fasten it to my keychain and ended up losing it after a couple of months. Since then, I regularly use my Trezor as a second factor. If someone is not in the know, then I remind you that any Trezor, in addition to the function of a wallet for cryptocurrencies, can be used as a second factor for authentication. Very convenient indeed.
full member
Activity: 1204
Merit: 220
(ノಠ益ಠ)ノ
April 10, 2020, 02:54:21 PM
#15


theres also new keys with fido2 https://www.yubico.com/products/security-key/

In fact the latest security keys are from the fifth family which is the most advanced among all similar products including those that belong to other brands. I would not recommend to buy Yubico keys belonging to the previous series  due to the  flaws found in their design. DYOR. Below are a few sources for  your start.

https://www.csoonline.com/article/2914645/security-flaw-allows-pin-bypass-in-yubikey-neo.html

https://nakedsecurity.sophos.com/2019/06/17/yubico-recalls-fips-yubikey-tokens-after-flaw-found/


When you see something like that theres always a thought "well this one is reported, but what if other ones just not yet"  Grin but they probably done full revision of all current lineup
Pages:
Jump to: