Ask HN: (Cheap) U2F Tokens?

2 points by dbmueller ↗ HN
What 2 factor authentication tokens are you using?

I know about the following (open source ones I think):

* u2fzero

* solo keys

* nitrokey

* tomu + the right firmware (which I guess is not really cryptographically secure)

I'd lean towards the solo keys since it's open source, and I haven't seen any criticisms, but tomu is quite cheaper. Also, which one support “cloning keys” at the setup phase so as to have a backup of your key?

What are your experiences? Recommendations?

10 comments

[ 873 ms ] story [ 373 ms ] thread
Not really an answer to your question but...

I think the main issue here is to find cryptographic chips in low quantities and diy-friendly packages. The f2c algorithms themselves are not exactly rocket science.

But are cryptographic chips actually needed for 2fa tokens to be useful. A lot of security risks are already covered by having a physical second factor, no?
I think it's mainly for secure storage and secure RNG people use them.

You can of course claim you need neither.

why would you want to clone keys? the point is when one is stolen or goes missing then the 2nd key is useless anyway and you would need new keys.
Well, it could also happen that your first key simply fails or gets broken, in which case it's easier to just have a backup.
well all the keys as stated will not allow you to clone keys, except potentially the solo key hacker version and the tomu (hacker version if there is one), as the whole concept behind the 2FA devices is that you can't read the crypto keys off the device, if you could then a reader/device could grab a copy of those keys and your 2FA is no longer secure.
same for u2fzero if it's not locked already, no?
probably, however i only know about the solokeys hacker as that is all i own, and even with that what you would want to do is modify the bootloader to only update with your own crypto keys that you then keep in secure offline storage.

As far as i can tell there is not documentation on how to do this but the 5min look i had at it made it look quite easy.

Do the 2fa services you are looking at using allow multiple keys to be configured per user? if so that would be a much better way to do it than cloning keys. they would still have their backup but there wouldn't be the same security issues that are apparent in the process of cloning the keys. If the computer you used to "clone" the keys had been breached prior to you cloning the keys then someone could theoretically find all your 2FA keys and your 2FA would be useless

Mmh, I don't have any specific service in mind. Concerning cloning, it's not such an important request, and if people have good reasons to think it's not worth it, I'm OK with that.

What was your experience with the solo keys, then? I gather they haven't implemented SSH and GPG key "management" yet: is that right? So for now it's just U2F it seems.

i mainly went with the solo for the usb-c (and opensource), correct they don't have ssh or gpg yet but apparently its close.

haven't had any problems with it but it does feel a bit flimsy (again haven't had any issues just based on the feel of it)