8 votes

Yubico releases the first Lightning security key for iPhones

8 comments

  1. [6]
    rmgr
    Link
    Has anybody got a Yubikey? Would you recommend it?

    Has anybody got a Yubikey? Would you recommend it?

    1 vote
    1. [3]
      Weldawadyathink
      Link Parent
      I have a yubikey 4 neo, the kind with nfc. It is a good device. Wether it is worth the $50 is up to you. It is a well made product and does what it needs to do consistently.

      I have a yubikey 4 neo, the kind with nfc. It is a good device. Wether it is worth the $50 is up to you. It is a well made product and does what it needs to do consistently.

      4 votes
      1. [2]
        rmgr
        Link Parent
        Have you got a backup device for if the current one breaks or you lose it? That's what I'm grappling with at the moment. It makes it quite an expensive decision all of a sudden!

        Have you got a backup device for if the current one breaks or you lose it? That's what I'm grappling with at the moment. It makes it quite an expensive decision all of a sudden!

        2 votes
        1. Weldawadyathink
          Link Parent
          Yep. I keep my neo on my keychain and I have a slim yubikey in my desktop at home. Not a true off site backup, but eh. In reality, you probably just want to keep backup codes in a safety deposit...

          Yep. I keep my neo on my keychain and I have a slim yubikey in my desktop at home. Not a true off site backup, but eh. In reality, you probably just want to keep backup codes in a safety deposit box if your yubikey breaks.

          1 vote
    2. manascii
      Link Parent
      I have a Yubikey that I use mostly to unlock full disk encryption when I boot my laptop. I've also used it for 2FA on a couple of websites. I've found it really simple to use, and there's lots of...

      I have a Yubikey that I use mostly to unlock full disk encryption when I boot my laptop. I've also used it for 2FA on a couple of websites. I've found it really simple to use, and there's lots of documentation on it. Price is reasonable, too. I'd recommend it.

      1 vote
    3. NaraVara
      Link Parent
      I've been meaning to get one, but my macbook is USB-C only while my iMac at home has no USB-C ports so I've just been delaying until the dongleverse sorts itself out. That said, my friend does...

      I've been meaning to get one, but my macbook is USB-C only while my iMac at home has no USB-C ports so I've just been delaying until the dongleverse sorts itself out.

      That said, my friend does infosec consulting for several of the Democratic candidates and he apparently just travels with bags full of Yubikeys to hand out at every training. Why this is voluntary and not part of their standard procedures I don't know, but it's definitely catching on.

      1 vote
  2. [2]
    welly
    Link
    Do yubikeys require any sort of second factor authentication? Ie. a password, thumbprint, something else? Or is it just plug in and you're authenticated?

    Do yubikeys require any sort of second factor authentication? Ie. a password, thumbprint, something else? Or is it just plug in and you're authenticated?

    1 vote
    1. blitz
      Link Parent
      There are lots of different ways you can use a yubikey, but the way I use mine is for two factor authentication. Many services like Google/Facebook/Fastmail support adding a U2F (universal second...

      There are lots of different ways you can use a yubikey, but the way I use mine is for two factor authentication. Many services like Google/Facebook/Fastmail support adding a U2F (universal second factor) device like a yubikey to your account. When you configure your account like this you still need to input your password and then once your password is verified they prompt you to insert your U2F device and press a button. You can't log in without both of these factors.

      This protects your account from things like someone guessing/brute forcing your password and phishing attacks (which other 2nd factor methods don't protect from). U2F devices take into account the URL they're being used on, even if you're tricked into putting your password into 'google.fake.example.com' and activating your U2F device, the phisher can't use what they get from you to log into your google account. This is not true for TOTP (Google Authenticator), because if they trick you into giving them your password and a one-time code, they can turn around and log into your real Google account with that information.

      1 vote