Mark Wyner Wonβt Comply :vm:Question for all the privacy/security smarties.
I was reading about those physical passkeys (like Yubico). My primary hangup is that a tiny USB stick can be easily lost/damaged. That seems like a huge risk.
What Iβve read about these passkeys seems ambiguous at best. Is there a strong argument for their use? If so, how does one backup a hardware passkey to mitigate the risk of loss/damage?
#InfoSec #OpSec #Privacy #Security #Passkeys
Brian Anderson (He/Him)@markwyner@mas.to I think the problem here is that βOne Key to Rule Them Allβ is a fine slogan, but actually a very difficult and impractical strategy to manage. Passkeys, digital and physical, need to be viewed as one part of a multipart solution including having alternate authentication/recovery methods, backup keys where possible, etc.
I love my yubikey, its reduced my overreliance on password managersβ¦it was great until I left it home while on vacation out of state. But having other secure authentication methods available blunted the impact somewhat.
The bigger problem is the uneven, inconsistent way passkeys are implemented in products. Itβs absolutely impossible to teach someone not already infosec savvy how passkeys work, because the UI from site to site, app to app, is so janky.
Bolt@markwyner@mas.to By physical passkeys, do you mean something like a Yubikey using U2F/FIDO2 that have been around for years, or the new "passkey" standard where sites just save a little digital credential in your browser/OS/phone's password manager, except stored on a standard USB stick?
Either way, it's often the case that sites using these give you backups, such as saving multiple passkeys, adding multiple hardware security keys, or also adding other 2FA like an authenticator app or backup codes.
tim@boltx@mastodon.social @markwyner@mas.to there is no "new passkey standard". You can choose to save a passkey in a credential manager (synced passkey) or on a security key (device-bound passkey).
Mark Wyner Wonβt Comply :vm:@boltx@mastodon.social Iβm actually talking about the Yubikey kind of thing. I need to update my post to be clear about that.
Are you saying with the Yubikey-type of hardware, you can have more than one? Do we know how hackable they are? Say if you lose it and someone gets ahold of it?
@markwyner@mas.to @boltx@mastodon.social https://idtechwire.com/yubikeys-can-be-hacked-but-it-costs-about-11k/
Exploits exist buy they would need to get a hold of your key, the key has a pin that you have to enter to set up the 2FA in any device/account, and if you lose your key, I don't think there is a way to track the accounts linked to it.
As people already mention, have one as a back up, but it is usually a very secure way to handle 2FA.