There are multiple reasons why I'm not fond of hardware keys like that: The first I've already mentioned. If it's lost or misplaced, you've just lost your way of getting into the system.
Second is the form factor. It's a USB A connector, which is fine when you're sitting at a desktop or a laptop that you own. What happens if you need to get into the machine, and the only thing you have is a cellphone or tablet, which likely doesn't have a USB A port? Do you keep a selection of dongles with you to make it fit? Or are you SOL? And if you're at a machine that you don't own, they may well either prevent you from accessing the USB port or have severe restrictions on what a USB device plugged in can be. For example, it might be limited to ONLY a mass storage device and not a USB keyboard. If that's the case, the Yubikey won't work. Third, while the Yubikey is powered off the device to which it's connected, and that's a nifty workaround to this problem, a lot of hardware keys have a sealed battery. That battery cannot be replaced, because the device will self-destruct (by design) if you try to open it up. So you're only good for as long as the battery life lasts. All that said, you also want to avoid using SMS as your second factor authentication, because the telecom network is not secure. If an attacker knows your phone number, they could attempt to steal your number and receive your SMS codes. While the telecoms have tried to close this security hole, in many cases, it's an insider attack, which can't be easily stopped without completely destroying number portability. On Tue, Aug 24, 2021 at 11:04 AM Michael L <[email protected]> wrote: > > That's another important reason why I'm asking: when my Pixel LCD became > unusable, I couldn't login. > > Glad again I asked. > > On Tue, Aug 24, 2021, 10:08 Tilghman Lesher <[email protected]> wrote: >> >> I would suggest configuring PAM to use one of the myriad 2 factor >> authentication schemes, preferably one that isn't tied to a hardware >> key. For example, you can use a Google Authenticator scheme with an >> app like Authy, which will allow you to authenticate with multiple >> devices -- useful if you lose or temporarily misplace one of them. >> Authy will also work as a Chrome App -- just make sure that you only >> put it on devices that you can keep secure. >> >> https://hackertarget.com/ssh-two-factor-google-authenticator/ >> >> On Tue, Aug 24, 2021 at 6:09 AM Michael L <[email protected]> wrote: >> > >> > I have a couple of sensitive logins which I need to keep secure online and >> > offline. I see multiple USB devices from about $10 and up. I also see >> > Google OpenSK and Predator DIY results. >> > >> > Does anyone have a recommendation? >> > Thanks everyone >> > >> > -- >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "NLUG" group. >> > To post to this group, send email to [email protected] >> > To unsubscribe from this group, send email to >> > [email protected] >> > For more options, visit this group at >> > http://groups.google.com/group/nlug-talk?hl=en >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "NLUG" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msgid/nlug-talk/CALdmzXZM9KizB9jj6mgORek5W6NAQ%2BF3-fJ%3Dc04ov%3DNJAiD0wg%40mail.gmail.com. >> >> >> >> -- >> Tilghman >> >> -- >> -- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/nlug-talk/CAHPkZcUKJeOsCzFRP1sVJ5kcVoSxech68NJmpvvb_hS_EsXnsw%40mail.gmail.com. > > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/CALdmzXY3mqhw4W8CO%3D9c5vjEumuoYxvE6A4L3tiQ4704o1h5pQ%40mail.gmail.com. -- Tilghman -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CAHPkZcUgcpuReTjv9rg%2B5EMPcT3wNyodWQo5paxqo47fQ5xgcQ%40mail.gmail.com.
