I’m thinking about using security keys like Yubikey, Nitrokey, Solokeys, etc.
But I don’t know how to organize everything. I can’t have everything on the same key I carry everywhere.
So I thought it could be interesting to get advice from experimented users, for me but also for everyone.
So which keys did you choose for what ? Which services are they connected to ? How do you use them everyday to improve your security ?
Thanks
I have two Yubikeys and I use them both on every service that supports FIDO as a 2FA method. One of them is always on my keychain and comes with me everywhere I go. While the other stays in the house.
Then I also use the Yubico Authenticator app on my computers and phone and have my TOPTs stored in both Yubikeys. That way, no matter where I am. As long as I have one of my Yubikey and access to a machine with the Yubico Authenticator installed, I also have access to my TOTPs.
If you do that, make sure that you backup your TOTP seed each time you setup one for an account. Because after you setup a new TOPT on a Yubikey there is no way to export the seed after the fact. Which means that if you lose one of your Yubikeys and you don’t have a backup there is going to be no way to setup a new Yubikey with the same TOPT seeds.
Why not?
I use a security key (3 keys total, 1 that I carry and 2 backups) for just 3 accounts. My password manager and two other important accounts. The rest of my 2FA’s are TOTPs stored in my password manager. For me this feels like a good compromise between security and convenience.
If a stealer gets one of my keys, he doesn’t get access to everything (especially email which is the most sensitive).
And also, if he manages to get the keys, he will need time to find which key is bound to what, it will help me delete the key.
And if a key is stolen, it will be faster to make it useless.
The goal would be to use keys from multiple manufacturer but still having the master key at home.
And also I don’t know if keys have a limited amount of accounts for FIDO
I also wanted to know, if anyone uses a small key plugged in their laptop or desktop PC and how they use it everyday.
I think how much of an issue physical theft is depends on how you intend to use your key, and your expectations.
The way I use my key is as a 2nd factor. Defending against physical theft is out of scope for me because: Physical theft would not be catastrophic, it is only 1 of 4 things they would need to compromise my account. In addition to the key they would need to know (1) where I used it (2) what username or email address was used (3) my password.
The point of two factor is to have two separate factors that complement each other (the key is resistant to phishing, hacking, malware, etc, but weak against physical theft, your login credentials are resistant to physical theft but more vulnerable to phishing/hacking/malware/etc)
But if you are intending to use your key as your one and only factor, then yes, I can see how you would be concerned with physical theft (but I don’t think multiple keys would sufficiently mitigate this).
edit: I would also add that if your primary concern is physical theft, I dont think a security key is the best option for you, unless you can protect it with a PIN as well (and I believe you can with some).