Brutkey

Mark Wyner Won’t Comply :vm:
@markwyner@mas.to

Question for all the privacy/security smarties.

I was reading about those physical passkeys (like Yubico). My primary hangup is that a tiny USB stick can be easily lost/damaged. That seems like a huge risk.

What I’ve read about these passkeys seems ambiguous at best. Is there a strong argument for their use? If so, how does one backup a hardware passkey to mitigate the risk of loss/damage?

#InfoSec #OpSec #Privacy #Security #Passkeys

Bolt
@boltx@mastodon.social

@markwyner@mas.to By physical passkeys, do you mean something like a Yubikey using U2F/FIDO2 that have been around for years, or the new "passkey" standard where sites just save a little digital credential in your browser/OS/phone's password manager, except stored on a standard USB stick?

Either way, it's often the case that sites using these give you backups, such as saving multiple passkeys, adding multiple hardware security keys, or also adding other 2FA like an authenticator app or backup codes.

tim
@timcappalli@infosec.exchange

@boltx@mastodon.social @markwyner@mas.to there is no "new passkey standard". You can choose to save a passkey in a credential manager (synced passkey) or on a security key (device-bound passkey).

Mark Wyner Won’t Comply :vm:
@markwyner@mas.to

@boltx@mastodon.social I’m actually talking about the Yubikey kind of thing. I need to update my post to be clear about that.

Are you saying with the Yubikey-type of hardware, you can have more than one? Do we know how hackable they are? Say if you lose it and someone gets ahold of it?

08956495
@08956495@infosec.exchange

@markwyner@mas.to @boltx@mastodon.social https://idtechwire.com/yubikeys-can-be-hacked-but-it-costs-about-11k/

Exploits exist buy they would need to get a hold of your key, the key has a pin that you have to enter to set up the 2FA in any device/account, and if you lose your key, I don't think there is a way to track the accounts linked to it.

As people already mention, have one as a back up, but it is usually a very secure way to handle 2FA.

08956495
@08956495@infosec.exchange

@markwyner@mas.to @boltx@mastodon.social https://idtechwire.com/yubikeys-can-be-hacked-but-it-costs-about-11k/

Exploits exist buy they would need to get a hold of your key, the key has a pin that you have to enter to set up the 2FA in any device/account, and if you lose your key, I don't think there is a way to track the accounts linked to it.

As people already mention, have one as a back up, but it is usually a very secure way to handle 2FA.