YubiKey 5: First multi-protocol security keys with FIDO2 support Replace weak, outdated password-based methods with strong hardware-based authentication. September 24, 2018 https://www.zdnet.com/article/yubikey-5-first-multi-protocol-security-keys-with-fido2-support/ Yubico Blog Introducing the YubiKey 5 Series with New NFC and FIDO2 Passwordless Features September 23, 2018 https://www.yubico.com/2018/09/intr...with-new-nfc-and-fido2-passwordless-features/
Yubikey supports FIDO U2F and WebAuthn. Other than that, not being open source may be deal breaker for some ppl.
Yubico Makes It A Lot Easier To Use A Physical Security Key On Older IPhones For Super-Secure Logins https://www.gizmodo.com.au/2019/08/...key-on-older-iphones-for-super-secure-logins/ And a quick review - https://www.reviewgeek.com/20983/the-yubikey-5ci-is-a-usb-security-key-for-your-iphone/
I've been testing Fido2 on a Yubikey5 and Security key, on MS, Google and Webauthn.io accounts. If it's of any help, here's some results: Windows 10, Edge, FF68 and Chrome75. MS account works, asks for pin. Chrome doesn't work (security key not listed). Google account, works for all browsers, no pin, asks for password. Webauthn.io, works for all browsers, asks for pin Linux Mint 19, FF68 and Chrome 67 (with Firejail and working U2F profile) MS account doesn't work, no 2fa options listed Google account, attempts 2-step but greyed out, YK doesn't flash Webauthn.io, doesn't work - popup but no flash on dongle Fedora 30, FF68, no firejail MS account - doesn't work, security key not listed. Google account - works with password, no pin Webauthn.io - works with pin So, rather frustrating! I've also tested the NFC on Android which works well for the TOTP authenticator side, but there's sadly no support yet for Fido2 & NFC on any of the Android browsers AFAIK. Likewise, you can't use the YK NFC for authentication, and Google seem to be bent on the Bluetooth option for that (which requires batteries). So, not there yet, and expecting website support for fido 2 to be as glacial as U2F. Surprise me someone! As far as not being open source, that clearly needs to extend to firmware etc. The Nitrokey is the only one I know that asserts that, and at this stage, only U2F is supported.
What I don't get is that both Yubico and Purism make it quite hard to find which sites support these USB keys. I mean this is the most important info.
I think the problem for them is that so few sites do support the good standards - not a good sales pitch! The aggregation sites that list 2FA supporting websites tend to be infuriatingly shy of detail, and many are listed because they do TOTP for example. They also fail to note constraints (such as U2F only working with recent Chrome, for instance), or distinguishing between U2F and Fido2.
Well, I had to look for it on Google, and apparently the YubiKey does work with a lot of sites, but strangely enough not on Yahoo Mail. I'm willing to buy a YubiKey, it seems to be the best 2FA solution. I prefer it over 2FA via smartphone SMS for sure, that's such a hassle.
Don't get me wrong, I've been using the Yubikey productively for years, I can recommend it for authentication, for hardening up password managers, and for TOTP. The non-biometric no-battery robust dongle is compelling. The problem with Fido is specifically that it's taken ages to get a few handfuls of main sites to support U2F over the years (only working with Chrome), and now Fido2/Webauthn only has a couple of participating sites. However, since one of them is MS and Edge, and they're also touting Hello enabled devices as fido2, that has more prospect for better support (if people acquiesce in using Hello for login). The other issue (a good problem to have really) with U2F or Fido2 is that you cannot recreate the keys using offline records (as you can for TOTP, HMAC and so on). This means that you'll need a backup key and/or rely on the website's recovery mechanisms (which are sometimes security vulnerabilities in their own right - attackers can trigger recovery mechanisms which they might be able to subvert more easily than the stronger Fido protection). My feeling is that keeping offline records of one-time pads or keys is the correct approach to this problem, and fortunately the bigger/better websites are now providing this. Yahoo Mail is embarrassing, though I think they now do TOTP; the bad providers are people like Paypal in my opinion.
deBoetie, My results differ from yours. Chrome is NOT the only one supporting U2F. I am having great results with FF Quantum (need a somewhat recent version) using U2F bare bones (not only Yubikey code, which also works). I use the following keys with both Chrome and FF Quantum -- Yubikeys and U2F security keys. NFC, USB-A. I also have Yubi NEOs where I "broke" the Yubi ID code and only have it enabled as full U2F, which works well without leaving any identifiers. The Yubi 5 security key works extremely well on FF Quantum using USB-A on linux. My only problem is that Android sucks and is not supporting true NFC (Yubi 5 NFC security key) for U2F ---------- not Yubi 4 code which of course does work well over NFC. Some examples of perfect working order - Gmail, Facebook, Password Mgr, Encrypted email provider - on FF Quantum or Chrome. I feel like I can control Quantum much better than Google's Chrome, not to mention obvious trust issues with Chrome. Caveat: I NEVER touch anything Windows so I cannot report on that OS. Linux 100% here.
Ah, thanks @Palancar, I believe the Firefox U2F support is via the Webauthn provisions, but that requires the website to support that form of connection - and there are so few that do so currently. Of course, this is good to the extent there's backward compatibility of sorts. I did mean to check whether Tutanota had moved on to Fido2 or Webauthn. Agree with you about not wanting to use Chrome. Would be interested in how you "broke" the yubi id code, or would you have to kill me?!
I guess I will need to do some research. I will be using it for authentication only, and everything most work on Vivaldi. But I was thinking, if you enable this option, then you can't login without the YubiKey anymore right? And yes, Paypal and Yahoo Mail should really be added to the list.
@Rasheed187 - by authentication, I meant the HMAC authentication to Windows and Linux login (also does LUKS boot authentication in Debian distros, and some password managers). I haven't tested Vivaldi support as far as Fido2 or Webauthn/U2F authentication is concerned. You can also use the Yubikey TOTP features with the Authenticator to provide codes with secrets stored on the key - and this works nicely on Android/NFC. Lastpass supports two-factor with the Yubikey also.
Hardware Security Keys: A Seatbelt for the Internet?—Cyber Saturday https://fortune.com/2019/09/07/hardware-security-keys-a-seatbelt-for-the-internet-cyber-saturday/
Yubico's latest security key uses NFC and USB-C for authentication That helps it prevent hacking on nearly all PCs and mobile devices September 9, 2020 https://www.engadget.com/yubicos-la...nfc-or-usbc-for-authentication-121635229.html Yubico: Yubico Delivers New Security Key to Defend Against Hackers in the Age of Modern Work, the YubiKey 5C NFC
