What are /r/yubikey's favorite Products & Services?

From 3.5 billion Reddit comments

You have to configure your Yubikey to hold your OpenPGP keys and then you may want to check gpg in Linux and Gpg4win for Windows. https://www.openpgp.org/software/gpg4win/

Though my site is self-hosted and Wordpress.org, I noticed that Wordpress.com has 2-factor as a default feature. And it allows for security key compatibility. So I activated it and it works fine with my site. Now I can get rid of the various plugins I was trying to install. A simple solution which I just stumbled upon (happily). It also works more seamlessly with fewer steps to login to the site than with the plugin I used before this.

I have set up my main key and backup YubiKey following the blog instructions and am able to switch between then in Debian (with WSL2 I have to adjust the keyring as another poster mentioned so it is less convenient). All I can suggest is to read my blog entry. You may find my point about config files helpful. Let me know if it helps.

"There was one issue after I duplicated the steps and loaded the second public key to my backup YubiKey. I would get “sign_and_send_pubkey: signing failed for ED25519-SK ”/home/[user]/.ssh/id_ed25519_sk” from agent: agent refused operation.” Eventually it would sign in, with another touch of the YubiKey, but clearly there was something not quite right. Fortunately, there is a solution: use config files in ~/.ssh to identify each key. With a config file you can type an easy to remember shortcut you define to distinguish the keys, such as “ssh yubi1” or “ssh yubi2”, instead of “ssh [username]@[host.ip] -p [port of host]”. Read:(https://www.freecodecamp.org/news/how-to-manage-multiple-ssh-keys/). Make sure to name each YubiKey with its own id_ed25519_sk file (such as id_ed25519_sk and id_ed25519_sk2) and refer to the correct file for each key. Now SSH login works for both YubiKeys without error. Also, switching keys does not bring up any complaints from the operating system (see Windows WSL2 experience below where it is not as smooth). This ease of use for the end user may be one advantage of using FIDO or OpenPGP over PIV for YubiKey in the SSH context."

I use LastPass on the free account. I have the OATH TOTP 2 factor set up on all 3 of my Yubikeys (You use the same QR code to set it up on as many Yubikeys as you want). That way I use the 6 digit code and that will get me in, after getting my username and password correct.

If you want something entirely offline, look at KeepassXC https://keepassxc.org/

KeepassXC uses a challenge-response slot that you set up on your Yubikey and you can use the same secret string on as many Yubikeys as you wish.

Those two are the only options I would personally recommend.

• fido2 and U2F are the ones you're actually gonna use with websites - mostly just U2F though.
• Yubico OTP is very rarely used, you probably don't need it
• OATH OTP (TOTP/HOTP) allows you to store keys for apps like Google Authenticator on the stick itself
• PGP: You can use the stick as a smart card for PGP signing/encryption.

https://www.amazon.com/gp/product/B00BKVPU08

​

These things are amazing. You can buy them at menards, or other hardware stores as well.

I don't think you can use the neo to unlock your phone, at least i have never tried. But to actually authenticate with the key you need to tap it on the back of your phone having NFC on, it won't do anything if its just near your phone.

Using 2FA with your key you will need this app, pretty simple to set up. Similar to google authenticator or authy. https://play.google.com/store/apps/details?id=com.yubico.yubioath&hl=en

I have 3 out of 5 active Yubikeys.

I keep one on my keychain, one at home and one at the bank.

My keychain Yubikey is password protected with 128 characters, saved in password manager randomly generated.

I save a screenshot of every QR code, copy every secret keys into a text file and I have them saved into a veracrypt file that I update several times a month. My frequency of updates depend if I change the password to an important account, gained a new QR code and/secret key or have to save a new set of recovery codes.

I have two veracrypt files. One has my password manager's vault and back up QR codes/secret keys to main accounts that I never open in my main OS's. The 2nd is an empty container that houses recently obtained QR Codes and secret keys temporarily until I make the effort to update my main Veracrypt container.

What I do is if I have a new one QR Code for an account i'll put it in my 2nd container and when It's time. I'll do an offline update to my main veracrypt file.

Ill run TailOS, go to bitwarden.com download my vault. Once I have my vault, I go offline and mount both containers and and transfer the new QR codes/Secret Keys, and update valut over to my main.

That's pretty much my work flow.

In the multifactor authentication settings (My Lastpass Vault when you log in on lastpass.com), all the way on the bottom there is a dropdown "Default Multifactor Option". I had overlooked this setting for some time.

​

In my case, changing it from "Google Authenticator" to "Yubikey" and logging out/in on the Laspass Android app, made the Yubikey prompt come up on Android and using the Yubikey via NFC worked flawlessly.

Yubikeys are not meant to replace password vaults/managers. They do have support for storing a single static password, but that's not it's main intended use case. You could install an offline vault on your computer (e.g. KeePassXC) and set it up with your Yubikey to require a challenge/response to authenticate.

https://keepassxc.org/docs/#faq-yubikey-2fa

>In this case, my chromebook and trying to use the google 2SV scenario with a very long password that i do not know

Oh, I see. You need your password to get into the chromebook to get to the passwords :) Chromebook is not very good for you in this case. I have a Linux laptop set up with yubikey-luks, so I don't have to remember a hard password. My yubikey generates the hard password from my easier password. It's not unphishable, but it's better than a memorable password at least. Once I'm into my laptop, then I can access my password manager.

>How does QTPass vary from KeepassXC?

Most password managers use a master password. I don't like this, because if someone can intercept your password archive, they can break into it with no further help. They only need to guess the password. To get an idea of how easy that is, try your password in the zxcvbn checker.

QTPass uses gpg-agent which in turn uses the Yubikey to encrypt the passwords. The yubikey is required for decryption. It could be better maybe, as QTPass is still one factor protection, but I consider a hardware key better than any master password I might be able to remember.

I see KeePassXC uses a key file (could be stolen by software) or Yubikey challenge response (hmac I assume, which means phishable like yubikey-luks mentioned earlier). It's too bad KeePassXC doesn't support gpg-agent or perhaps pkcs11.

KeePassXC is probably more user friendly though. QTPass requires setting up the gpg keys on the yubikey and git for syncing. Two things which will probably scare a novice away.

> i use a keepassxc DB that is stored on my google drive account. i want to be able to make it as seamless and painless as possible when using it, what is the best way to do this?

Setup Challenge/Response on your YubiKey, tie it into to the KeePassXC database. Put your database file on Google Drive. Be aware that KeePass2Android does not really support any 2FA, though the author of KeePassXC recently released a fix for KeePass2Android (beta!)

>currently, i noticed if i put 2SV on my google account that the drive account is associated with for the keepassxc DB, it breaks functionality for apps like Tusk and Keepass2Android

I don't use KeePass2Android (for the reason mentioned above), but can you expand on what's breaking? Can KeePass2Android just not access the file at all?

Reading on the fastmail website, your yubikey should support U2F for it to work. https://www.fastmail.com/help/account/2fa.html

You should see if your yubikey model supports U2F though I thought all of them do, not sure though.

It could also be that when you insert the yubikey, that you still need to touch the gold ring on the yubikey to activate it.

I've got a Yubikey 5 NFC (USB-C), to be future proof too. I keep a USB-C -> USB-A [1] adapter with me. It works perfectly fine with the adapter.

[1] https://www.amazon.co.uk/gp/product/B079K773M7?psc=1

Second this. I use this with my 5ci though it doesn’t stay looped together they are the smallest I have found and I’ve never had it fall off.

I don't think Yubico provides any guarantees regarding the lifespan of the connectors, but from my personal experience, they seem to be made from fairly durable plastic so I wouldn't worry too much about wear and tear as long as you aren't being rediculously rough with it. In fact, I'd argue you're more likely to break your computer's port than the yubikey itself.

​

>Do you know if I buy a USB NFC reader for my computer if I can just use the NFC function to access my yubikey via the authenticate app and others?

Yes; though, I'm sure compatibility will vary. This one, for example, has some reviews talking about this use case.

I'm basically obligated to parrot the same thing everyone else on this sub says: buy at least 2 yubikeys. No matter how durable the key is, there's always a risk of failure. Having a second key significantly reduces the chance that you'll get locked out of your accounts.

You can use the Yubico Authenticaor app with Amazon, PayPal, NordVPN, Microsoft, Mozilla Firefox, and as a backup method to autheticate into Google and GitHub. You can set it to require the Yubikey to be pressed before it spits out a six-digit code. I do wish banks would embrace the Yubikey.

I use one of these to sign into Windows Hello -

https://www.amazon.co.uk/Benss-Fingerprint-Scanner-Matching-Certified-Black/dp/B07MX8551M

Works well for me.

I have a small fire-resistant lockbox that I keep a backup Yubikey, flash drive, and a few important documents in.

If someone's really intent on getting in to it, they can. But having pulled one of these out of a house that burned down, they're awfully handy if you need to get to insurance and financial accounts sooner than you can get to a safety deposit box at a bank.

But if you're just looking to hide it, there are lots of stash cans that will work. I like this one, because the packaging of the actual product doesn't change often, and nobody will accidentally grab a can of tire foam from my garage the same way someone might with a soda can hidden in the refrigerator.

> and actually use that reader to at least perform U2F with YubiKey?

The ACR1252U has worked successfully for other people according to Amazon reviews. I think the Sony RC-S380 might also work but I'm not sure.

As far as I know, U2F over NFC will only work with browsers that use Windows 10's native FIDO APIs introduced in v1809 (support by all major browsers as of December).

Do not go for the cheaper NFC readers like ACR122U. They're 20-30 bucks cheaper but have poor driver support when it comes to contactless cards. I could not get mine to even detect the YubiKey while my Fidesmo card with U2F applet seemed to hang the reader when tapped.

I haven't personally tried it, but ykDroid claims to enable both USB and NFC Yubikey challenge-response when used with Keepass2Android

If you have Yubico Authenticator https://play.google.com/store/apps/details?id=com.yubico.yubioath it should be as simple as clicking the top right menu icon in the app and hitting "Scan account QR-Code", scan the code and tap the NEO to the phone when prompted.

I also save the QR code image and make an encrypted backup on a USB key locked away, just in case I lose the Yubikey or want to set up a new one from scratch, but that's going off on a bit of a tangent...

Edit

I have never added a new site from the desktop app, only from the phone app.

SINLEO Titanium Stainless Steel Small Beads Ball Chain Necklace for Men Women 16 - 38 Inches Silver Black Gold

https://www.amazon.com/gp/product/B07GWWC3LR/ref=ppx_yo_dt_b_search_asin_image?ie=UTF8&psc=1

My security keys are on a lanyard with a detachable buckle. Allows me to detach the keys when I need to use them.

>Sir, it's simple to understand: the possibility of adding 2 yubikeys is
only allowed by a limited number of sites and they are the most popular
ones. Forget about using a second yubikey as a solution, it's not.

In case you are confused, or for other readers: this is objectively and demonstrably incorrect. For the following providers, I have more than one YubiKey registered: 1Password, Google, Facebook, Twitter, Github, Hey, Dropbox, Namecheap, Vanguard, Tutanota, NordVPN, Cloudflare, Yahoo, WordPress, AnonAddy, SimpleLogin, Microsoft, Proton. To be clear, I am talking about FIDO U2F/FIDO2. The list of services that support having only one (1) key is a fraction of the list of supported providers. Almost anywhere you would be able to use a YubiKey, you will be able to register a backup.

​

>Besides, our security shouldn't depend on the number of yubikeys we
have. What happens if we lose both of them? Do I buy a third one just in
case?

It's not totally dissimilar to your house key or car key. You absolutely should have a second YubiKey, and if you are very concerned about losing both of them, then it's smart to have an off-site backup at a trusted/secure location. Leave one at your parent's house, in a desk drawer at work, if a safe deposit box at a bank, whatever.

I decided to buy a Yubikey 5c because my laptop only has this port. The main problem was the lack of USB-C on my main desktop computer. I solved that by buying two USB-C to USB-A adapter. One is permanently installed next to my desktop USB-A port, and the second one lives on the same keychain as the Yubikey 5c, so I always have one if needed.

I bought those usb-c adapter : https://smile.amazon.com/gp/product/B09GKGCR4Z/

Actually beside manual shift probably a good idea would be to be able to use NTP time. This app has it and it's generally simple and fully-featured but I can't comment on how secure or trusted it is, being really obscure and non-open source.

https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain

and

https://play.google.com/store/apps/details?id=org.sufficientlysecure.termbot

I don't use FIDO2 for SSH as I use a lot of older systems that can't.

Hi OP,

I have a Yubikey 5C NFC as a spare security key and I bought this adapter to connect it to an old Windows laptop that has USB-A ports only: https://www.amazon.nl/-/en/gp/product/B088FJSD4B/

It's a very well built adapter and works with other devices as well. Not sure if it's available where you live tho.

Sorry guys, I should've done a better job with my Amazon search terms!

I'm going to get this thing: https://www.amazon.com/gp/product/B09QM4SMWH

It's meant to hold a couple pills, so it's just the right size for a 5Ci.

https://www.amazon.com/Stainless-Steel-Keychain-Outdoor-Sports/dp/B071DN1DTN/ref=asc_df_B071DN1DTN

These little cables are nice. You can loop it pretty much anywhere. Belt loop, zipper of a jacket, inside your bag etc

You don't get phishing resistance as unlike webauthn the domain of the site is not relevant, the secret is exposed in the registration process, it's not as user friendly (just pressing a button)…

TOTP is just 6 digits which is less secure in theory but shouldn't matter in practice if the service has proper rate limiting and stuff.

Your TOTP secret is stored on the server as well, meaning if your provider has a leak the secret could get exposed.

TOTP is time based one time passwords. It's literally just that. u2f is a bit more complicated and based on asymmetric crypto.

A practical limitation is often you can just register one TOTP Authenticator at a time, meaning it's more complicated to register multiple keys to one service as you would either have to save the secret somehow or register them at the same time…

And you need a yubikey 5 series key for OATH (htop/totp) support, while if you just need fido support you could also get a cheaper "security key" (the blue one).

but it's still strong 2fa. In practice, unless you fall for a phishing scam, it likely won't make a difference.

I've used both Tutanota and Protonmail. But I liked protonmail better overall so stopped using Tutanota. Btw I believe mailbox.org also supports yubikeys and can encrypt incoming email with standard PGP, which is pretty neat as you can just use your standard mail client, while Protonmail requires a bridge application for encryption (paid feature). But I haven't tried them yet.

I have successfully used my Yubikey 5 (USB-A) with my Galaxy Tab S6. I had the same issue; the key has NFC, but I need the key to log in to Bitwarden. Here is the adapter I used: https://www.amazon.com/dp/B07DNQ9FD9/ref=cm_sw_r_apan_i_159JG06EVHASF6VBAT6B?_encoding=UTF8&psc=1

I use one of these with windows hello

Kensington VeriMark USB Fingerprint Key Reader - Windows Hello, FIDO U2F, Anti-Spoofing (K67977WW),Black https://www.amazon.com/dp/B01NAVWPOJ/ref=cm_sw_r_cp_api_i_C3KJP9K71TNMKTACETZW

Yes! I have a Yubikey 5 NFC, so it works fine on my desktop and my mobile phone.

Then I realized my Android tablet has USB-C but no NFC. Facepalm. I picked up an adapter on Amazon. It worked with no issues.

> mmm this seems like a real good solution... can you clarify for me how do you restore if you loose your phone? you mentioned backup, but how operatively works? backup from phone to where? and how often? do you automate the backup?

> you mentioned backup, but how operatively works? backup from phone to where? and how often? do you automate the backup?

Yes it is automated, no effort on my part. Based on settings I selected within Aegis, the data is exported to a particular directory on my phone any time I change anything and exit the application. I use Foldersync (paid app) to sync that directory to a free drive (could be onedrive, dropbox, google drive).

mmm this seems like a real good solution... can you clarify for me how do you restore if you loose your phone? you mentioned backup, but how operatively works? backup from phone to where? and how often? do you automate the backup?

Is there a chance you have a USB-C port? That something like this might fit?

There is another model, the Yubikey 5C NFC, that might be what you were supposed to get. I can also confirm that Amazon sells an adapter that works just fine.

You're thinking correctly about this.

Mine is a USB-A, because that works with my Lenovo laptop and all of my Dell desktops.

I got the NFC option to enable access with my Samsung S9. But then I realized my Galaxy Tab S6, which also has a Bitwarden instance as well as being connected to Google, doesn't have NFC. Facepalm.

So I bought a three pack of adapters , and they work perfectly. I keep one in my briefcase and the others in my home office.

In practice you may find you don't need your Yubikey that often. My Android devices are permanently authenticated to Google, of course. I leave my Bitwarden instances similarly connected (though it does require my master password on a frequent basis). And my other Yubikey usages are so seldom they are not worth mentioning.

But I still carry one around, because I want disaster recovery: if I am away from home and have to provision a new phone, I want to have the necessary key to do the job.

If open source is the solution to prevent bugs in random generators how did this bug end up being a thing?

https://www.debian.org/security/2008/dsa-1571

Wouldn’t surprise me in the least. I did find a blog post from jumpcloud that seems to hint that it’s doable if one jumps through the correct hoops, which may include manual admin approval of the change, or installing an MDM profile.

I think I may give this a try. I can’t promise to report back for several weeks, but if I make progress, I’ll update.

1Password only asks for 2FA once per device. Even if you sign-out if will not ask you for 2FA again unless you deauthorize the device or, if visiting 1password.com in a browser, delete cookies.

When 1Password requests 2FA via your YubiKey when logging in to 1password.com in a browser running on Windows 10, a grey pop-up will appear asking you to plug-in your YubiKey. Once plugged in you will get a second grey pop-up asking you to touch your YubiKey.

If these things don't happen then the YubiKey will not be in U2F/FIDO2 mode. So touching your YubiKey will cause it to perform whatever action is in Slot 1. By default this is Yubico OTP which is a 44 character one time passcode. This is probably the long code you saw.

People usually receive as early as on their 5th week and as late as on their 10th week. You can read comments on here, several people have reported when they have subscribed and when they have received the magazine and Yubikey.

I went with the USB-A; all of my desktops and laptops have a female USB-A jack. My Android has NFC, so I am covered there as well.

The porcupine in the dog show is my Android tablet, which has USB-C but no NFC. I ended up purchasing a set of adapters; I keep one on my briefcase and the others in my home office.

I got three of them. I keep one on my person, of course, one in my home safe, and one in offsite secure storage. If I had to do it over, I might have only gotten one or two: all of my sites offer "recovery codes" in case the Yubikey is lost. With my other disaster recovery preparations, I don't really need more than one.

I don't actually need to use my Yubikey very often. My phone and tablet are permanently authenticated to Google. My password vault instances also keep their 2FA ("locked" or "logged in" in Bitwarden parlance). So it's not at all inconvenient to pull the Yubikey off of my carabiner when I need it.

I did start to worry a little bit about the wear and tear of carrying a Yubikey on my key ring. It is quite durable, but I did invest in a cover for it. This is a great accessory, which I wholeheartedly recommend.

USB-A male to USB-C female adapters are not compliant with the USB specification and can actually be dangerous/break things. Basically anything with a female Type-C port needs active circuitry to be safe and reversible. This Syntech is a ridiculous price for something that is only USB2.0. It mentions "premium chipset" in the description but who knows.

I will recommend this CableCreation adapter instead, around the same price w/ USB3.0 support, fully reversible and tested to be safe by someone trustworthy.

Just get an A to C adapter and plug the Yubikey into a USB A port. There's nothing special the Yubikey is doing that requires you to waste a USB C PD port on it. These will do the trick: https://www.amazon.com/dp/B085VT1VJT/ref=cm_sw_r_apan_glt_i_32N93SQRPWYA2HC5RM49?_encoding=UTF8&psc=1

No, you don't have to leave your key in after you authenticate to the vault, as long as you stay logged in. If you close your browser or it times out and logs out (depend on setttings I think) then you'll need it again.

Also if you install a browser extension, it seems that 2FA authentication is never needed again (after maybe the first time). It just asks for your password. I think the theory is that anyone can get to the vault address, but it's very hard for someone to reach your browser extension (may be tied to your device).

Finally if USB ports are at a premium, there are some easier alternatives:

1. Try wearAuthn which allows you to use your Wear OS watch (via bluetooth) just like a hardware key for U2F / FIDO2. I just learned about it awhile ago on reddit and I think it's great. Or...

2. Get a TOTP app for your phone to use as an alternative to hardware key. On Android, I recommend Aegis (which includes easy password protected encrypted backups).

Same here, USB-A for backup and USB-C on my keys with a small adapter C->A (like this one: https://www.amazon.com/Female-Adapter-Charger-Airpods-Samsung/dp/B079LYHNSR ) always connected. If I want to connect to a computer, I can use it with the adapter, or without if there's a type-c port available. I remove the adapter for use with my phone (NFC doesn't always work with my phone, so I prefer to use the type-c interface)

The adapter is 3 for $10 at Amazon. I just keep one at my desk, another in my briefcase, and a spare in the parts drawer.

My intuition is the type A might be a little more robust. I have bent a few USB-C charging cables over the years, which never happened with USB-micro, so I am leery of the longevity of a USB-C connector on something as spendy as a Yubikey.

The App I use is Aegis FOSS, highly recommended (for Android).

I've heard that about Authy... they make it tough to export (aka a sneaky customer retention strategy). I don't know any solution to that one.

The GPG applet has two pins: the regular PIN and the admin PIN (aka PUK). The regular pin is 123456 by default, the admin pin is 12345678. Regular PIN stops working after 3 failed tries in a row, after which you have to use Admin PIN to reset the the regular PIN. After 3 incorrect tries of Admin PIN, there is no way to unblock the GPG applet anymore, it's pretty much useless, you have to reset it, which will erase the keys.

https://www.gnupg.org/howtos/card-howto/en/ch03s02.html

In that case, you'll need to switch your 2FA method to FIDO2 WebAuthn, since that's the only supported protocol for your security key.

https://bitwarden.com/help/article/setup-two-step-login-fido/

If you need YubicoOTP and/or TOTP for other services, unfortunately you'll have to return it and get a 5-series key instead.

No need to fret, as even if there were a breach, there's nothing for bad actors to obtain.
Same with BitWarden.
Having a physical key on top of end to end encryption is just icing on the cake; a zero-knowlege model on their end, with a physically segregated key? It's laughably difficult for bad actors to succeed in gaining access to anything pertaining to saved credentials.

Only real vulnerabilities here are client billing information for your service subscription to BitWarden/LastPass, and the contact information they have for you.

TL;DR: the breach you're referring to is for the most part likely a fruitless bot attack. Only need to worry if your password is something ridiculously silly, like "Password123" or the like. But you have two-factor auth via Yubikey, so no need to worry, even if someone knows the password to your LastPass.

Neat! I guess I haven't logged out of Bitwarden on my phone so I hadn't noticed. Unsure what they mean by

> Mobile Apps for Android and iOS 13.3+ with a FIDO2-supported Browser.

https://bitwarden.com/help/article/setup-two-step-login-fido/

Does that mean it opens a browser window to give the FIDO2 prompt?

Anker 4-Port USB 3.0 Hub, Ultra-Slim Data USB Hub with 2 ft Extended Cable [Charging Not Supported], for MacBook, Mac Pro, Mac mini, iMac, Surface Pro, XPS, PC, Flash Drive, Mobile HDD https://www.amazon.com/dp/B07L32B9C2/ref=cm_sw_r_cp_api_glt_fabc_NWGZSJEC06DYDPYEJ0GE

I have two of these. Work great

I've been using these lanyards finger straps to tether my Yubikey to my wallet with no issues so far: https://www.amazon.com/dp/B08139R5MC/ref=cm_sw_r_apan_glt_fabc_KBE6GAY9VGHPGZ8F3E7D?_encoding=UTF8&psc=1

It comes with several in the bag, so if I see mine is starting to fray, I'll just replace it.

This thread mentions this scanner, though I don't personally have an NFC scanner

It's more common for remote SMS hijacking without SIM-jacking by taking advantage of lax security of phone companies in other poorer countries.

Last I read, the security model of the SMS networks is "trust all phone companies". It's pretty much like basic BGP with no safe guards.

Tutanota has an interesting blog about modern email over SSL https://tutanota.com/blog/posts/tutanota-uses-dane-on-top-of-ssl-pfs

>Unless you used ancient password manager a la Keepass

Guilty as charged. I freakin' love KeePass. It's free, I keep the database locally but sync it on the cloud in encrypted form, it supports tons of plugins and is really versatile. Plus, it's open source and has even been audited. I'll admit it looks like it hasn't had an interface upgrade in a decade, and they really should be adding more things to core, but as far as I'm concerned it's definitely in the top 3 and I have no interest whatsoever in switching to something else.

I find that you and I are in a basically similar situation. I have solved the problem for now. When I use bitwarden with nfc on my phone, I get vibration feedback but no characters are entered. The solution to this problem can be found in bitwarden's guide on using yubikey
Check that NFC is configured properly:
Download the YubiKey Personalization Tool.
Plug the YubiKey into your device.
Select the Tools tab.
Select the NDEF Programming button.
Select the the configuration slot you would like the YubiKey to use over NFC.
Select the Program button.
https://bitwarden.com/help/article/setup-two-step-login-yubikey/
The lack of a systematic user guide is annoying and the user relies on Google. fk.

Some people have odd ideas about single points of failure.

If getting into the password manager involves multi-factor authentication, particularly if one of these factors is a security key, then it isn't really a potential single point of failure. That is particularly so if the password manager stores information online, in which case it is guarding against another potential single point of failure due to a building potentially burning down.

You either trust your password manager or you don't. If you don't then you shouldn't use it for anything.

https://bitwarden.com/help/article/what-happens-if-bitwarden-is-hacked/ is one password manager's answer to the, "but, but, but, what if it gets cracked", question.

> I use my PGP/SSH key

If you have users relying on PGP for your software then you are not a consumer in the traditional sense.

Also, OpenSSH supports FIDO2 based key types now. PGP will be obsolete for signing/authentication once all software down the chain adds support for FIDO2 ECC keys.

> also to send encrypted emails,

Most consumer PGP based email services don't allow hardware PGP cards and rely on encryption/key derivation instead.

S/MIME is a lot more popular going by usage. But non-enterprise users are switching to Signal/Element entirely because email is too much of a hassle

> it doesn't require the yubikey at all any more so anyone who has access to my phone could get into the app and access my vault.

2FA is for login only on password managers. It exists to prevent people from downloading and decrypting your vault with just your email and master password and it does a pretty decent job at preventing that.

It does not make sense to have 2FA every time you unlock your vault, it will get annoying very soon and even then the apps you log in to will save your login information until you manually log out. Such inconvenience makes it tedious and therefore less secure (e.g., like how people use sticky notes for passwords when annoying polices like expiring passwords are implemented).

The way most YubiKeys are set up, it is not easy to encrypt and sync passwords with a YubiKey. In the case of Yubico OTP based 2FA, the LastPass server just verifies the OTP, and does not use it for encryption. But your biometrics are actually used to "unlock" (i.e., decrypt) the encryption keys stored in the Keychain in phones (Secure Enclave in Apple, StrongBox in Android and TPM in PCs). It is in fact 2FA since your device itself is one factor and your face another.

Now, if you want a solution that actually uses the YubiKey for encryption and decryption, you'll have to use something more advanced (without online features) like Keepassium, but as their FAQ says, you cannot use a YubiKey for autofill at all unless you cache the decryption key - which is basically what FaceID does. So it's really not useful, you'll need to copy the password to your clipboard - not really ideal.

1. It seems the iCloud (sync and backup) data is encrypted with users Apple ID and password. Apple has access to this info, thus it has the key. However a subset of user’s data (keychain, credit cards, etc) is additionally encrypted with information unique to device, including passcode. That’s the end to end part. These are explained here;

https://support.apple.com/en-us/HT202303

https://www.boxcryptor.com/en/blog/post/iphone-backup-icloud-encryption/

The Boxcryptor’s article states that this second key is just the user’s passcode. Apple’s article states that this second key is obtained from information unique to the device, combined with device passcode.

There seems to be some contradiction here. The Boxcryptor’s article might be wrong. I doubt a short PIN is used for e2e encryption of the keychain. Apple might be using secret keys unique to device that even apple does not have (like randomly generated on device). If all that Apple doesn’t know is passcode, a lot of people use short pins which means e2e encryption is easily cracked by Apple or government.

When you decrypt a document, GPG only looks for keys in your keyring which match the recipient key ID stored in that document. So if you recover a key and it's able to decrypt an old document, you've definitely recovered the exact public/private keypair you used to have.

The key ID is a hash which is computed over data that includes the public key modulus. This hash also includes the creation timestamp of the key, so if you didn't take care to match that with your previous key, your new key will have the correct public modulus but the wrong key ID. In this case GPG won't be able to automatically find the key in your keyring when you go to decrypt the document, so decryption fails, but you can actually still decrypt it even with the wrong key ID by including the --try-all-keys argument.

So you think that KeeChallenge/KeepassXC with it's challenge-response HMAC implementation is more secure than HOTP? Or are they around the same level?

​

I did read that the author of Keepass2Android had a working beta version that can open and access KeepassXC databases with 2FA enabled through Yubikey. Maybe I'll give that a shot.

https://github.com/PhilippC/keepass2android/issues/4#issuecomment-401763890

Again I haven't personally tried it, but I see from the Keepass2Android-Offline release changelog that it also added support for ykDroid.

What you REALLY want is the KeePassXC fork which sees active development, has linux/PC/macOS support, built in YubiKey support (so no KeePass plugin, and tbh that plugin has shortcomings), a better UI and additional features.

As long as you store the database file in cloud storage of some sort (Dropbox/Box/whatever) the file will be in sync everywhere. If you want iOS/Android support there are apps (like KeePassium) that will support the YubiKey + KeePassXC files.

If you want to keep all of this local...well you'll need a proper USB flash drive. YubiKeys are dedicated 2FA devices, no generic storage (by design).
Dunno what your work's security policy is on flash drives and executables but I would check first.

I disagree, KeePassXC's integration is arguably more secure.

https://keepassxc.org/docs/#faq-yubikey-no-extra-file
The database doesn't need to know what the HMAC secret is, the response used to encrypt the database can be changed with every modification of the database itself, and there's no need for the extra keechallenge file to hold the secret right by the database itself.

I'm curious though, what integrations do you believe you're missing here?

Don't use OTP.
Use the KeeChallenge plugin instead, or better yet, just use the KeePassXC fork which contains this functionality.

Yeah, not a bitwarden guy myself but it doesn't look like it supports FIDO on mobile platforms. Maybe try r/Bitwarden ?

https://bitwarden.com/help/article/setup-two-step-login-u2f/

While it's not the major selling point of the key I love the YubiKey TOTP authenticator app. I never have to dig my phone out of somewhere to enter OTPs and Protonmail always asks for my OTP so just having the app on my mac menubar makes it super easy. I always register U2F where I can but I do store nearly every OTP on the key.

THe YubiOTP i hardly use. Mailbox.org supports it in a weird way but that's the only service I've really used it with since my password manager is Bitwarden which does U2F.

I have found these to be good resources. My setup is not exactly like either one. Both are good and, if memory serves correctly, also explain why they set things as they are.

https://alexcabal.com/creating-the-perfect-gpg-keypair/

https://riseup.net/en/security/message-security/openpgp/best-practices

They probably both assume that you are at least familiar with gpg.

Great post. Has it been moved somewhere else? If you don't need TOTP then you can get FIDO 2 U2F NFC key or $24.50

https://www.amazon.com/Yubico-Security-USB-Factor-Authentication/dp/B07M8YBWQZ/ref=pd\_lpo\_1?pd\_rd\_i=B07M8YBWQZ&psc=1

That depends on Android FIDO2 stack tbh, MS approach of security key is to use full passwordless authentication with resident keys.

That is ATM not supported in major browsers in Android. Some proof of concept browser like this one that has its own FIDO2 stack ( https://play.google.com/store/apps/details?id=de.cotech.hw.fido.browser) actually works fine on MS account login.

For Iphone I have no idea, but usually Apple is the last to adopt anything that they did not design.

yes - a usb-c to usb-a adapter works.

I (highly) recommend the Ugreen C-A adapter. Works a treat on my 5C-nfc.

I actually got a Freekey for mine https://www.amazon.co.uk/gp/product/B01BFSJ704 been very useful, much easier to remove and also means I can easily remove just my front door key when going running (not that I have done that much recently >_<)

You have two choices from my experience.

1. Get a USB-C cable and have it hang off the side of your laptop. I do this with this 1.6ft cable for 8.99
2. Get a Yubikey 5C NFC Original form factor. It's really too easy to trigger my 5C key by just bumping my hand on it. :(

Try flipping the yubikey over.

I use this adapter with 5c and have no issues

TACOMEGE USB C Adapter, USB C Female to USB A Male Cable, OTG Adapter for iPhone 12 Charger & Cable & Other Device (Black-USB2.0) https://smile.amazon.com/dp/B0923MGH5B/ref=cm_sw_r_apan_glt_fabc_9TPME1YZAJDYZZ2EV99G?_encoding=UTF8&amp;psc=1

hi i dont use the yubikey 5 yet im still on the old yubi 4 but this brand of adaptors works well for me

Act Micro USB OTG to USB Adapter Micro USB Male OTG to USB Female B Adapter USB On The Go Adapter (Black x 2) https://www.amazon.co.uk/dp/B06XWT3BCG/ref=cm_sw_r_apan_glt_fabc_F8B9K63SCWNY69THY4QR?_encoding=UTF8&amp;psc=1

sorry this isnt ezactly the advice your asking for but its the best i can do

ps usually i get the yubikey just flashing but doing nothin when windows has recognised it wrongly as a smart card or a mouse etc (just something to consider }

good luck pal !

Stainless Steel Necklace - I just received a new one today actually. Seems like the best way to keep it "on body" and never take it off unless I have a good reason to. And since the yubikey is waterproof, I just don't take it off. It has a mini metal hook to snap on and off the chain.

A YubiKey is a smart card, especially when used over NFC. The device manager even says Yubkey CCID - which is a protocol used for USB smart cards.
PIV is one of the applications on a smart card but FIDO2 smart cards (without USB) exist.

https://www.amazon.com/dp/B07YS68Y47

don't cheap out on adapters.

even an "expensive" C->A is only $10 AU (+postage). https://www.amazon.com.au/product/dp/B079K773M7/

There are some pretty good C->Lightning adapters out there too e.g. https://www.amazon.com.au/gp/product/B08VH52CH7

>nonda USB C to USB Adapter,USB-C to USB 3.0 Adapter,USB Type-C to USB,Thunderbolt 3 to USB Female Adapter OTG for MacBook Pro 2019,MacBook Air 2020,iPad Pro 2020,More Type-C Devices(Black)

There's no link. Is it https://www.amazon.com/nonda-Adapter-Thunderbolt-Aluminum-Indicator/dp/B015Z7XE0A (ignoring the color) ?

Sure, many people can't easily use NFC and I'm sure that's why all Yubikeys come with some way to plug them in. But more laptops are starting to come with NFC built-in and readers are not expensive compared to the price of a computer overall. Also, computers can often use a token like the nano which doesn't need to be carried separately.

Personally, I carry my keychain around most of the time but not always; they are just bulky enough that I would rather not bring them on a walk, around the house, or when out with my family. I sometimes misplace things which aren't immovable or attached to my body, including keys. I use my Yubikey mainly to authenticate to Bitwarden which manages all my other credentials. So while it's not common or likely that I need my Yubikey and don't have my keychain (or my backup Yubikey), it's not impossible. So I wear my primary Yubikey on a necklace and feel reassured knowing that I won't be locked out of my accounts wherever I am.

thing from "ugreen" - one of these - I've looped the mini-lanyard through the hole in the C5nfc so they're always together, but I can use the key on usb-c devices as well :)

You don't back up a YubiKey. Most sites let you add 2 or more security keys, so your 2nd key becomes the "backup" key.

Most people will be fine with 1 expensive YubiKey, as long as all recovery codes are backed up in a secure location. I use a cheap HyperFIDO Mini as my backup key.

I recommend the StarTech desktop extension cable. Much better than loose cable. https://www.amazon.co.uk/StarTech-com-5ft-Desktop-Extension-Cable-Black/dp/B001K9BFB8

Or a desk grommet with usb ports if you can drill a hole in your desk.

There are many USB hub designs with ports that point somewhat upwards, like this:

https://www.amazon.com/Anker-Unibody-Aluminum-Portable-Notebook/dp/B00O0KISQE/

Otherwise you can use these USB extension cables that have a pedestal base which gives you a single port facing upwards:

https://www.amazon.com/Adapter-Extension-Pedestal-Vertical-Wireless/dp/B08M96DL6T/

Thank you!

I found this on Amazon:

https://www.amazon.com/Extension-Pedestal-Transfer-YOUCHENG-Keyboard/dp/B089NBDV2K/

But I decided to buy this instead.

https://www.amazon.com/gp/product/B00MHHQPZI/

I figured a hub would be a lot more useful.

• https://smile.amazon.com/gp/product/B00GSLMTQ8/
• https://smile.amazon.co.uk/gp/product/B087LP9Y93/

Not sure if this is relevant, but I only use it as a U2F key, none of the other Yubikey-specific stuff like OTP.

Ah yeah. I read something about that. Wasn't sure on a release date and I've been sort of paranoid about only having one and the fear of something happening and not having a backup, so I had looked into this one: https://www.amazon.com/gp/product/B0821TDLP4/ref=crt_ewc_title_huc_2?ie=UTF8&amp;psc=1&amp;smid=A10ABS3Q8PD59I

But I also do like the fact that the yubikey one is a lot less bulky.

Try installing YubiClip and then set it as your defualt app once the popup shows after tapping the Yubikey

I had the same issue and it fixed it for me

https://play.google.com/store/apps/details?id=com.yubico.yubiclip&amp;hl=en_GB&amp;gl=US

I purchased 2 - one 5 NFC and one 5c nano.

They each have their pros/cons and uses. I use the NFC with my android phone and with devices that have a standard USB-A connector like my desktop PC. I use the 5c with my Surface tablet that doesn't have a built-in USB-A port.

The 5c is pretty versatile though - I honestly don't think I've tried it, but I believe it could be used by plugging it right in to the USB-C port on my phone. I also bought a USB-A to USB-C adapter so that I could use my 5c on my desktop as well and so I wouldn't lose the thing since it's so tiny. The adapter has a little clip on it, so when the 5c isn't plugged into a device, I put it in the adapter and clip it to my bag. This adapter isn't exactly what I bought, but similar.

So really, you've got it - it all depends on your use cases. Otherwise the devices are the same. Sorry I can't immediately answer about how well 5c work with Android. Adoption on mobile apps has been extremely slow. I think I've only got one or two apps that support hardware tokens on mobile right now, so I haven't had much need to try it.

I used this adapter to setup the YubiKey 5C that I carry around as a backup on my keychain. It's all just USB, there's nothing special, so form-factor adapters will work just fine.

I use DESFire cards with an app called Smartcard Password Vault but the setup is a bit shady overall. DESFire is certified secure but not open source and that app's author cannot legally release the source.

I read the blog you linked and my experience learning about secure communications, encryption, validation, etc. is different. It offers alternatives for specific use cases that might be nice for laypeople.

I don’t think I’ve ever seen signed software that doesn’t use GPG as the primary mechanism. LibreOffice, Ubuntu, Firefox, and Python are major software products that use GPG keys. GIMP made the decision to use it within the last few years so it isn’t a legacy concept.

Mullvad is the gold standard for privacy focused VPN. They offer instructions to verify signatures using GPG and recommend that method.

PrivacyTools recommends GPG in several places.

That whole blog post sounds like opinion to me because in the technical realm GPG is the standard signing mechanism.

For other uses like full disk encryption or email, I agree there are better alternatives.

> Honestly, though, I wouldn't waste my time with PGP unless you're just experimenting with it. Except for very narrow use cases, almost no one uses it anymore, even inside the security community.

If this is true why do major projects all seem to use GPG?

What I do is the following:

I have my entire keychain on one of these https://smile.amazon.com/gp/product/B013WB8WBM/

and its flexible enough that I don't have to remove the yubikey to plug it into anything. But if I ever need to remove it, its easy to do so.

I tried those Nite Ize S-Biner quick disconnects in the past for my bicycle key and the S-Biner broke

I've had this key chain for years and I'd like to never go back to a regular one. It's both secure and easy to remove. The chain makes it easy to pull out of your pocket.

There's a $60 USD variant available by Feitian. https://www.amazon.com/dp/B083NY2GFN/

Fingerprint + USBC.

Does anyone make a key with Biometric+NFC? (I doubt it due to the power requirements and possibly clunky UX around touching it and bringing it close to the NFC Area of the phone)

> keys live in little USB-A-to-C adapters in a hub

My USB-A to C/USB-C to A adapters have little keychain links (like this one).
You could store your 5C Nanos that way in a keychain e.g. YK 5C Nano -> USB-C to USB-A adapter (keychain) -> USB-A hub.