Hey!
I’ve been thinking about getting a hardware key (like YubiKey) to improve my security (against phishing attacks).
But the more I think about it the more I don’t get how YubiKey’s domain detection (facebook.com vs faceb00k.com) is different from my password manager’s saved URL (Bitwarden’s article explaining what I mean).
What do you think? Is YubiKey’s way so much better or just slightly better?
FYI I’m already also using TOTP as my 2FA.
Fundamentally the only difference is the password manager can treat multiple domains as one (a rule of example.com and example.net could be in the rules automatically or can be manually added if you know they belong to the same site and use the same logins)
TOTP can still be phished if you aren’t paying attention and the benefits of hardware keys is that it is much harder to phish and people like simple things to do security. With a hardware key all you have to do is plug it in and press it, no need to quickly open a 2fa app remember the code and type it in hoping you were fast enough. If you do go this route make sure you get 2 hardware keys and write down the backup codes you get from the sites so you don’t get locked out.