Cred Forums
I think I'm an idiot and need someone to explain to me how using a yubikey is better/safer then having 2 factor authentication using your phone?
I have 2 factor setup with my lastpass account, how would using a yubikey instead of my phone be any safer? Is there any difference?
no one uses a yubikey?
phone would be better in this case. If someone wanted to steal your login they'd need to unlock your phone and get the time sensitive code.
It doesn't hurt to have multi factor auth as long as you can manage it.
I have a Keepass database that requires a google auth from phone AND 2 key files from 2 separate drives along with the password
So whats the point of a yubikey if a phone authenticator app is better? Why do so many people use them?
Well I just googled this and it seems pretty legit. So what exactly are the advantages for it though, and can someone give me a real life situation where it'd be useful to have?
what the hell you have there that you need that much protection?
or are you just paranoid?
It might be a requirement for his company
If you get malware on your phone, it could read out all the secrets from your authenticator app. Yubikey avoids this by being a separate piece of hardware that you don't do anything else on.
One of the key files is stored in the company's servers (not a fan but had to). Other is my own.
The key files are a one time thing just to prevent logins from new devices.
The database is ~10MB so I got a lot to lose
2 factor with a special phone you never tell anyone about works
You can more easily fit a Ubikey up your ass. So when you get robbed they still won't have the key to get into your accounts.
Someone can steal the authentication seed from the phone. It's much harder to do from the key.
Yubikey can do NFC, so you can use it to 2 factor auth the 2 factor auth on your phone. (Yo dawg...)
Yubikey also works as a PGP card, which is fucking awesome.
Phone companies have a history being very lenient about security and don't think twice about handling duplicate of your SIM to someone else, leaking your SMS or reusing your number if you stay offline for too long
two factor authentication is critically important for all orgs to implement but hardware based security keys are quantum leaps ahead, they're not hackable and protect users from phishing in the way one time passwords do not
How is plugging in a USB key any more secure than typing in a OTP?
cryptographic signature cannot be phished
Because you have complete physical control over your USB key
You have complete physical control over a OTP written on a scrap of paper.
Firefox still does not support U2F
fuck
But where do those scraps of paper come from?
A tree.
But what if the tree was compromised?
What if the USB key is compromised?
>OTP
>scrap of paper
How do you get the next OTP?
Calculate it manually based on the seed.
I wish more people understood this. This is the whole point of the yubikey!
So, is there an actually recommendable secure smartphone?
I read somewhere that if you link yubikey to a LastPass account then the yubikey will store the decryption string instead of the LastPass server.
It isn't better. Anything on a phone is more vulnerable compared to a dedicated hardware token.
Friendly reminder that Yubico has replaced all open-source components that made yubikey NEOs so awesome with proprietary closed-source code in Yubikey 4s. Do not buy.
Instead, either get the Yubikey NEO or check out nitrokey.com
I have a Yubikey as a backup in case my phone ever gets lost or stops working.
