Ask HN: (Cheap) U2F Tokens?
What 2 factor authentication tokens are you using?
I know about the following (open source ones I think):
* u2fzero
* solo keys
* nitrokey
* tomu + the right firmware (which I guess is not really cryptographically secure)
I'd lean towards the solo keys since it's open source, and I haven't seen any criticisms, but tomu is quite cheaper. Also, which one support “cloning keys” at the setup phase so as to have a backup of your key?
What are your experiences? Recommendations?
10 comments
[ 873 ms ] story [ 373 ms ] threadI think the main issue here is to find cryptographic chips in low quantities and diy-friendly packages. The f2c algorithms themselves are not exactly rocket science.
You can of course claim you need neither.
As far as i can tell there is not documentation on how to do this but the 5min look i had at it made it look quite easy.
Do the 2fa services you are looking at using allow multiple keys to be configured per user? if so that would be a much better way to do it than cloning keys. they would still have their backup but there wouldn't be the same security issues that are apparent in the process of cloning the keys. If the computer you used to "clone" the keys had been breached prior to you cloning the keys then someone could theoretically find all your 2FA keys and your 2FA would be useless
What was your experience with the solo keys, then? I gather they haven't implemented SSH and GPG key "management" yet: is that right? So for now it's just U2F it seems.
haven't had any problems with it but it does feel a bit flimsy (again haven't had any issues just based on the feel of it)