Security Keys

Are security keys worth it, if so which are the best?

As always, “which is best” depends on your use case:
Which features do you need? Support for elliptic-curve crypto? Password storage? Encrypted drive? Small size? WebAuthn support? U2F support? OATH-TOTP support? Which price is okay for you? Do you need open hardware? …

And as always, you can’t pick all features since there is no “most secure security key.”


Besides, in our personal experience, yes, security keys are helpful if you want to store private keys on dedicated hardware and for two-factor authentication (U2F/WebAuthn for websites and SSH). They are built in a way that you can’t extract their secrets and this is their main benefit. However, there are drawbacks (again, as always), e.g., you need at least two security keys for backup purposes.

When it comes to the maturity of the products on the market: Yubico has the most mature hardware and software in our opinion; however, the YubiKeys themselves are proprietary hardware and some people don’t like this.

Generally one recommended approach is to download something like an ubuntu live cd environment (boot it), and manage the security device from within a “clean room” environment. From there you can load keys onto the security key. I personally prefer to always keep a copy of my PGP keys on burned to optical disc and not tied up in any security key device.

It then means I only have to buy one key, and in a pinch could use the key without the security device. (Though you’d want to be certain the machine you’re using it on is not compromised).

I keep all backup codes for removing TOTP/FIDO authentication devices from my accounts. (Those codes various sites give you that are once use).

If you look at this Yubikey article Generating Keys externally from the YubiKey (Recommended) it is their “recommended” method.

Yeah I really wish there was a key as featured as the Yubikey 5, in particular firmware 5.2.3 Ie able to do ed25519 OpenPGP and also FIDO2.

I want to like the Nitrokey, but It’s rather annoying that only the Nitro Key Start can do Curve25519, while only the Nitrokey FIDO2 can do FIDO2 authentication.

One thing to know about Yubikeys is they do not support firmware updates. The firmware that comes on your key is what you get.

There are also some places which will only allow for you to use a Yubikey.

I also prefer the thinness of the Yubikey… I think it might be more durable too.

2 Likes

We use several “identical” YubiKeys for our shared ISH infrastructure. For instance, there are three YK5 for SSH+U2F access to an SSH jump host, each one with their own account. Then, there are signing keys for Git, and some shared TOTP secrets.

But, of course, for some users/use cases a backup CD or a paper backup is sufficient.

We own 5 Nitrokeys (2x Nitrokey Pro, 1x Nitrokey Pro 2, 1x Nitrokey FIDO2, 1x Nitrokey FIDO U2F).

In our opinion, the biggest drawback is that most Nitrokeys are simply forks of other open hardware projects (e.g, SoloKeys, or U2F Zero) with some Nitrokey software on top. Due to this, there is no “one size fits all” Nitrokey, but you need multiple Nitrokeys to get the same features that you get with a single YubiKey (e.g., storing an OpenPGP key AND having U2F in the same key). This means that the end user needs to buy at least two Nitrokeys to get the same features that are one YubiKey.

Besides, there were/are some major software issues. For instance, the official Nitrokey App didn’t run on Windows 10 1809 for 4 months due to a bug, rendering the hardware password manager and TOTP useless for these users. Another example is when the Nitrokey Start leaked secret keys, or the missing AAGUID field for FIDO2. On the other hand, only some Nitrokey models support firmware updates.