Increasing personal security online and Yubikey

For a password manager I have been using bitwarden it has good phone and web integration and it's open source. You can host it yourself if you're comfortable doing that which is nice.

Another "easy" security win is encrypting your /home folder, which is especially important for a laptop but may be desirable for a desktop as well.

Something to note, is that the thing yubikey adds over TOTP (google authenticator) is mostly protection from phishing.

Most sites that support yubikey, also support the FIDO2/WebAuthn standards. So you'd get most of the benefits with anything that supports that.

Personally I'm using Krypton for using my mobile as the second factor. Though they got acquired and AFAIK Android now supports something similar, so there are other options if you wish to go that route.

So I have two Yubikeys - one is Yubikey 4, and the other is Yubikey 4C.

Personally I see little downsides outside of the usual "I'm downstairs trying to access GitHub/GitLab and then the website asks me for my Yubikey, so I rush upstairs to get it, come downstairs, and enter it and go ahead". There's even the little issue of some websites/browsers timeout so you have to do all of this again.

That's pretty minor compared to the Yubikey security. It's dead simple to set up and use - when a website asks for two factor auth, you plug in the Yubikey and then hit the button. Then going forward you will need to plug in the Yubikey and press the button and you're good to go.

Services that I use that require my Yubikey:

• Google (sometimes I use their services although I'm trying to strip back my usage and succeeding)
• Github
• Gitlab
• AWS
• Fastmail
• Facebook
• Lastpass
• Bitwarden

Services I wished used Yubikey:

• Microsoft (they apparently have support for security keys, but my browser doesn't support it? It's Firefox, I've managed to sign in with my Yubikey with the above devices)
• Twitter
• Apple (they have their own proprietary 2FA mechanism)
• Amazon (yup, AWS supports Yubikey, but not Amazon)
• Paypal
• eBay
• Steam
• Epic Games store
• Rockstar Games Launcher
• Origin
• Basically any store/service that potentially involves me spending £££, has my credit card details, or has items worth £££

So far it's mainly used to stop people accessing code/services/infrastructure potentially worth ££££ to customers. I wish it was used all over because of the convenience (signing up and using).

Do you have any important online accounts that can use a Yubikey? Google and GitHub can use it, but there aren't all that many others.

Two Yubikeys would work, but one Yubikey and printed backup codes kept somewhere safe might also do.

Also consider which USB interface you need. A lot of newer laptops only take USB-C, so if you get a Yubikey with the older USB you'd want an adapter.

Online security is almost like a hobby to me! I take great pleasure in finding solutions that keep my data in my hands, enhance my security posture, and perhaps most importantly doing all that without being a huge time / thought burden. My setup is as follows:

• For my password manager, I use KeePassXC. Free open source software that you can trust. To log in to the database (which is just a file), I use a strong password as well as a keyfile - the keyfile is never transmitted over the internet, I only ever copy it physically. I also store password protected SSH keys (automagically added to SSH agent on unlock), credit cards, social security numbers, etc. in the database.
• To keep my password manager in sync on all of my devices, I use SyncThing. This is also free open source software that you can trust. I only recently started using this over Google Drive / SeaFile, and I absolutely love it. There's no central server involved, you pair your devices using public keys and configure sharing between them. It does one thing and does it well - syncing files. There is a small learning curve, but for the technically inclined nothing insurmountable. Once it's set up, you won't have to worry about it.
• In my KeePassXC database, I also store all of my two factor tokens. This syncs my two factor tokens so that I can access them securely between all of my computers / phone. It also allows for autofill of TOTP tokens using browser extensions. This does however mean that if my KeePassXC database is somehow ripped off, there's no second factor securing my account. Since this is such a low risk, I don't mind. If I were more paranoid, I would split my TOTP tokens into a separate KeePass database which would only be unlocked when needed for two factor.

The only item I really need for peace of mind is backups of SyncThing. It is technically possible for a bug in SyncThing to delete all of my data. I doubt this will ever happen but I need to plan for it anyway. I'll probably end up using Google Drive or SeaFile to accomplish this.

I don't really get how yubikey helps in this case.

The major downside of having your phone stolen is worsened if you also lose the yubikey, no?

And the upside is... moving away from sms 2fa? don't most sites let you move to software 2fa, like the sites you listed?

The only advantage I see of hardware 2fa is that it automatically detects phishing attempts, so eliminates the risk of manually inputting your software 2fa into a fake site. To me that's a very low risk, since I don't see myself ever being subjected to such targetted attacks.

See this outweighed by the inconvenience of having to keep a hardware key on me, on my phone, as well as at my desktop, using my laptop or tablet on the couch or god forbid having to fumble for it late at night in bed. Or how the hell would it work on my work device, which doesn't allow non-authorised USB devices to connect?