YubiKey. Should I purchase it?

Jimmy · February 9, 2025, 10:34pm

Hi

I am considering purchasing YubiKey. Should I purchase it?

Any recommendations?

As I know, they are closed source (I mean key itself)…

anon51501352 · February 9, 2025, 11:47pm

Yes, if you want to enhance your security, then it’s a no-brainer.

Just ensure you buy two. As, you should have a backup in case you lose your primary Yubikey or encounter any unforeseen circumstances. One main that you carry with you and another you store away in a safe place and make sure you backup all the data from your main key. You will have to repeat this step for every website as there is no backup method with Yubikey. As, you can’t export the keys data.

Update: Since a person down below can’t read between the lines. If you want to enhance your security beyond the already established methods. Then it is a no-brainer.

But if you don’t take the precautions I mentioned earlier, it won’t be beneficial for you. Take some time to reflect on how you envision using it. Read some guides and watch videos before taking the steps. Make sure that you’re comfortable with the process and that you’re the one who wants to take your security further while outweighing the cons.

anon51501352 · February 9, 2025, 11:54pm

There is OnlyKey

Which is open source. But I don’t know how reputable they are. I would consider more research be done on it.

I am going to make post to see what other people think of it:

Update: From further research, it seems OnlyKey is a good alternative if you prefer open source. I did make the post to see how others view the product if you want other opinions.

Also this article here:

States:

The only downside – it takes some time to figure out how it works.

anon52464727 · February 10, 2025, 12:28am

It is not necessarily a no brainer. It depends on if your threat model really requires you to have a physical key when password managers are just as perfectly okay for your 2FA needs. Ente Auth of course works really well too.

And because you need to buy two, if you end up losing both - you are absolutely screwed. So, one must be very cautious when deciding to invest in this kind of a 2FA.

I personally recommend Ente Auth or for a simpler set up - your password manager.

BiggishDoctor · February 10, 2025, 8:43am

I currently use digital passkeys with Bitwarden.
Proton Pass and KeePass also support them (KeePass XC requires the browser extension)

Both the digital and physical keys are FIDO2 conpliant. So the server communication should be nearly identical and they offer much the same phishing protection.

Main difference I can think of is that a physical key would be more difficult to compromise if malware was on the device you’re using. Still wouldn’t use it on a device I don’t control if at all possible.
Physical key also requires specialised equipment to copy while a digital key is just a file or data entry that can be copy-pasted.

I have little doubt that the physical keys are far more secure because of this physical access requirement.

But the cost is prohibitive in comparison to the benefits.
I plan on getting 2 Yubikeys at some point. The main benefit to myself at this point is that Apple doesn’t seem to support digital keys on anything other than an apple device.
But at most, I’d only use them for Bitwarden and my email accounts. Which all have 2FA and local backups.
So I’m in no rush to set it up with physical keys.