Ask HN: Alternatives to Yubikey?
I haven't had a good experiencing with Yubikey's support and sales team and I'm looking for an alternative.
What other keys are people actively using?
I'm interested in something with equivalent features to the Yubikey 4 (NFC not required, U2F mandatory).
90 comments
[ 3.2 ms ] story [ 157 ms ] threadThe alternative to Yubikey that I am aware of is NitroKey, but can't say I am aware of how they match up, feature for feature
It is also hackable: https://doc.satoshilabs.com/trezor-tech/resources.html
The downside of this and the Trezor is that you need a cable to connect it to a device.
I've had 2 Yubikeys replaced at their cost after published security exploits highlighted shortcomings. Also haven't had one fail on me yet. Would be curious to learn what your experience was.
- Lets me store certificates and PGP keys
- Has two factor authentication (U2F)
- Has open hard and software (source-available)
Basically, a USB pen drive that allows U2F, and is can be made read only (either by a switch or only writable over a special interface). I don't really need tamper-resistance, pre-generated keys, smart cards or any other advanced features.
At least that was my experience. If somedbody can correct me, I'd be incredibly grateful.
Please take a look at https://github.com/romanz/trezor-agent/blob/master/README-GP... for more details.
Disclosure: I am the main developer of this project.
You can have it emulate USB HID, so presumably U2F would be workable, and it'll do USB Mass Storage too.
Open hardware and software.
An FST-01 is a somewhat better choice, but Gnuk doesn't implement U2F. If someone has enough time and knowledge I don't see why it won't be possible to add it, though.
But are you sure it'll DFU over USB?
If so, for avoiding DFU, could you use some simple hardware to disable the data lines on the OTG port until the Pi had finished booting?
Could one use an i2c or spi based crypto chip for key storage?
Don't have Pi at hand to test for sure, but searching online can't find mentions of USB DFU. I think I may be mistaken.
I've been toying with the idea of building an open source replacement and fabbing it with a shuttle service but ultimately the cost is really too high to justify.
That said, I have looked for alternatives and found none.
I am most disappointed in the mediocre coverage of their RDP drivers. I need to use all the features over RDP. Some work and some don't.
* Do not allow smart card redirection Group Policy object
https://www.nitrokey.com
AFAIK they are used at Mozilla. The Firmware is Open Source. Downside is that not all their dongles support U2F.
The only dongle to support U2F is currently only available for pre-order, with ETA in autumn 2017.
- Doesn't support U2F (yet)
- Supports only one password manager [1]
- Recommends using their own password manager (That has a limit of 16 passwords)
[1] https://www.nitrokey.com/documentation/applications#a:passwo...
Note the NitroKey start is a gnuk implementation and is fully open source. The tamper-resistant models are using the BasicCard with Zeitcontrol software.
1) Ordered 2, received 1. Thankfully, support quickly sent the second one once I wrote to them.
2) Now they only work when I plug something else to another port to my Mac (no such problem with Yubikey). No reply since April 29: https://support.nitrokey.com/t/nitrokey-u2f-issues-in-macos-...
Edit: I now noticed they have a different U2F version — the previous one was a card that you fold to make it into a USB dongle.
1) We are changing our warehouse process, adding a technical QA step, so that such mistakes won't happen anymore. Sorry for the trouble.
2) As you noticed, the former U2F is going to be replaced by a new FIDO U2F device which contains a full USB plug for better reliability, is more durable and has a touch button.
(I've tried scouting around, but not found anything clear yet. Someone's done native support in ssh, but the patch set is hung up on licensing issues and technical quibbles[1], and some of the PAM-based setups seem to require cut-and-paste of crypto strings on every login.)
[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2319
http://www.bootc.net/archives/2013/06/09/my-perfect-gnupg-ss...
Coupled with a standard yubikey+gpg agent setup
Maybe look at my dotfiles if you are stuck:
- https://github.com/aviau/dotfiles
Hopefully they don't both break at the same time.
It is for the same reason that services like Google Mail won't let you set up a U2F token without a backup factor.
The device uses strong encryption (where legal), and goes beyond U2F to include password management, certificate storage, OTP/Google Auth, and plausible deniability. The hardware is teensy-based, and the firmware is open source. The devs have released fairly regular updates, and even encourage hacking on it to meet custom needs.
https://crp.to/p/
I am interested to find out more info on the tamper-resistance of the hardware.
More info at their site: https://crp.to/
Open source (-ish?) Yubikey alternatives
https://sc4.us/hsm/ $75 | https://news.ycombinator.com/item?id=12053181
https://trezor.io/ $99 | https://news.ycombinator.com/item?id=10795087 (not much on HN)
https://www.floss-shop.de/en/security-privacy/smartcards/13/... €16.40 (OpenPGP Smart Card v2.1; 4096-bit keys)
https://www.fidesmo.com/fidesmo/about/privacy-card/ €15 (NFC only; recommended by the terminated SIGILANCE OpenPGP Smart Card project; 2048-bit keys)
I'm all for the a DIY solution, but considering how much of a pickle I'd be in if all of my 2FA tokens were inaccessible, wouldn't the average person want some kind of case or shielding around the exposed board?
Give me an enclosure like Samsung's metal flash drives[0], and then I'd be sold.
[0]https://www.amazon.com/Samsung-METAL-Flash-MUF-32BA-AM/dp/B0...
[0] https://github.com/conorpp/u2f-zero/
It's fully open-source, but the only standard application currently supported is U2F.
Disclosure: this is my product.
Access Denied (content_filter_denied)
Your request was denied because of its content categorization: "Placeholders"
Not to dismiss YubiKey but companies that can afford 2 factor and take security seriously already have SecurID for a long time.
That "gold standard" required reissuing 40 millions of devices in 2011 due to a single server breach. Lockheed-Martin was apparently really, really happy about it, too.
If that's your desired level of security, just use any TOTP authenticator app on your smartphone.
A lot of mails going to the post office. That's one of the good thing about this hardware tokens, you can decommission and replace them easily.
What's expensive it to redo all your applications and systems to have 2 factor authentication.
The problem with many affordable TOTP tokens is clock drift. Are RSA's tokens better with that?
The problem currently is a) most sites want passwords b) I do not want to mess with cables c) NFC is not ubiquitous.
It could be a valid business decision (I.e. uneven browser support will confuse our users and increase costs) but I think they are just using that as a delay tactic.
The gotchas I've encountered while using them on OSX:
The "setup" instructions that are referenced in the packaging and on parts of the site are for basic use of OTP. Real documentation is here: https://www.yubico.com/support/knowledge-base/categories/gui...For people asking about backing up material on OpenPGP modules: these are write only. Generate your material locally with gpg instead of generating them on the smart card itself and use the keytocard command to copy the keys to the card. You can backup your keyring prior to moving keys and restore it before copying keys to each card or ctrl c out of gpg without saving the keyring references for the material that was moved to the smart card.
I used bits and pieces from a few guides to get the setup I wanted as this was my first experience with smart cards and advanced use of pgp:
https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubike...
https://rnorth.org/gpg-and-ssh-with-yubikey-for-mac
http://suva.sh/posts/gpg-ssh-smartcard-yubikey-keybase/
https://www.jfry.me/articles/2015/gpg-smartcard/
https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-gui...
https://alexcabal.com/creating-the-perfect-gpg-keypair/
Overview of my process (on an air gapped machine):