I saw people talking about YubiKey here a few weeks ago so I got curious. Unfortunately, I’m not seeing a lot of helpful reviews for it.

I’m personally getting tired of having to take my phone anytime I need 2FA for Okta but I don’t have a lot of super important accounts to secure so I’m going back and forth in deciding whether the 100+ euro investment (to get two so that there’s a duplicate) would be worth it.

How do you use your YubiKey in your personal life and do you think it’s worth your use case ?

It's seems to have been common sense for a while now that Windows has good-enough security software that you don't need 3rd party tools but is it actually the case now? Is there anything to lose or gain from trusting 3rd party with this stuff?

For a long time now, I have been using KeePassXC for desktops and KeePassDX for Android. I keep everything synchronized neatly with Syncthing, which can be configured to operate over your WiFi or the internet through their gateways. This allows me to share a single KeePass file with another individual, provided I tell them the password.

I have a co-worker who is loving 1Password and while it looks great, something irks me about paying monthly for a password manager. I looked into Bitwarden for a "local cloud" and have seen very mixed results as well as not being sure if I could trust my own security configurations to do so.

I am primarily wondering what everyone else is using in search of something a bit more convenient (I'm not opposed to using the cloud) that has an app like KeePass that I can use for desktop apps, and not just in the browser (though I don't use that function often, truthfully).

Edit: Passkey support was mentioned in this comment and made me realize how important such support will be in the coming years. For those of you with password management solutions supporting it, how has it been?

I just received an Unknown Tracker alert on my Pixel 7 running Android 14 beta 5 for an Apple air tag that was on my son in laws key chain as I had borrowed his car.

I heard this was coming but didn't expect it so soon!

Quite impressed with both the information given and the general advice and steps to take offered.

The first notification was "Tracker Travelling With You: Unknown Apple air tag detected. The owner can see your location."

Touching "more info" then shows a map of where the tracker has been with me and the option to make the tracker play a sound to help locate it, with a note that the owner won't know you've done that.

Then more advice and options:

• If you feel unsafe, get help.
• Get and save tracker info
• Disable the tracker (with a how-to guide on battery removal)

And a ”need more help" link.

As I said, I had heard about this coming but was pleasantly surprised at how good it was and the general advice and help offered up.

Nice seeing things like this done right.

After 11 years of life, Google Authenticator has added cloud backups for OTP keys in version 6.0.

Google Security Blog: Google Authenticator now supports Google Account synchronization

This is surprising news to me, because historically Authenticator had no way to backup keys by design. Here's a 2017 quote from a Google engineer who maintains Authenticator:

There is by design NO account backups in any of the apps. ^[source]

This design choice always made sense to me, as the point of 2FA is that you've got (1) something you know, and (2) something you have. The second factor should be tied to a physical device. If you lose the physical device, the second factor should be gone, and you'll need to use one of those 10-ish backup codes that we all definitely keep somewhere safe. I'm quite befuddled that Google is reversing this design choice and walking back their previously strong, security-centric design for the sake of user convenience in the case of a lost phone. I used to advise my friends and family to choose Google Authenticator over Authy for this specific reason.

If you want further reading, here's a PCWorld article with an altogether different tone than Google's announcement: Google Authenticator’s long-awaited cloud 2FA feature carries hidden risk

I saw all the hype about Google's new passkey rollout on Hacker News and Ars Technica in the past month, and have even read an article stating that, paraphrased, "I should start using passkeys immediately, even if the tech is not all the way there yet."

Some questions:

• Are you using passkeys currently? Which provider?
• Is there a fear of vendor lock-in (looking at you, Apple) or ditching the product in the future (looking at you, Google)?
• Any other concerns I should be aware of, e.g. what happens if my phone gets run over by a bulldozer?