Thank you everyone for the excellent info. I'm glad I asked.
On Tue, Aug 24, 2021 at 2:45 PM Kent Perrier <[email protected]> wrote: > IIRC, the Yubi folks do recommend getting two, and using the second one as > the backup authenticator in case the primary is lost/broken/etc. Put in a > safe/safety deposit box for safe keeping. > > On Tue, Aug 24, 2021 at 2:13 PM Paul Boniol <[email protected]> wrote: > >> I agree with Tilghman, but would add there are NFC versions of >> Yubikey's (still without battery), and USB-C connector (which may or may >> not attach to your phone). If supported, it could be added as a backup >> authentication method, but I don't recommend using them as the primary >> method. (Left it at home, fell out of your bag, got eaten by a toddler, you >> never know.) >> >> Paul >> >> On Tue, Aug 24, 2021 at 12:48 PM Tilghman Lesher <[email protected]> >> wrote: >> >>> There are multiple reasons why I'm not fond of hardware keys like that: >>> >>> The first I've already mentioned. If it's lost or misplaced, you've >>> just lost your way of getting into the system. >>> >>> Second is the form factor. It's a USB A connector, which is fine when >>> you're sitting at a desktop or a laptop that you own. What happens if >>> you need to get into the machine, and the only thing you have is a >>> cellphone or tablet, which likely doesn't have a USB A port? Do you >>> keep a selection of dongles with you to make it fit? Or are you SOL? >>> And if you're at a machine that you don't own, they may well either >>> prevent you from accessing the USB port or have severe restrictions on >>> what a USB device plugged in can be. For example, it might be limited >>> to ONLY a mass storage device and not a USB keyboard. If that's the >>> case, the Yubikey won't work. >>> >>> Third, while the Yubikey is powered off the device to which it's >>> connected, and that's a nifty workaround to this problem, a lot of >>> hardware keys have a sealed battery. That battery cannot be replaced, >>> because the device will self-destruct (by design) if you try to open >>> it up. So you're only good for as long as the battery life lasts. >>> >>> All that said, you also want to avoid using SMS as your second factor >>> authentication, because the telecom network is not secure. If an >>> attacker knows your phone number, they could attempt to steal your >>> number and receive your SMS codes. While the telecoms have tried to >>> close this security hole, in many cases, it's an insider attack, which >>> can't be easily stopped without completely destroying number >>> portability. >>> >>> On Tue, Aug 24, 2021 at 11:04 AM Michael L <[email protected]> >>> wrote: >>> > >>> > That's another important reason why I'm asking: when my Pixel LCD >>> became unusable, I couldn't login. >>> > >>> > Glad again I asked. >>> > >>> > On Tue, Aug 24, 2021, 10:08 Tilghman Lesher <[email protected]> >>> wrote: >>> >> >>> >> I would suggest configuring PAM to use one of the myriad 2 factor >>> >> authentication schemes, preferably one that isn't tied to a hardware >>> >> key. For example, you can use a Google Authenticator scheme with an >>> >> app like Authy, which will allow you to authenticate with multiple >>> >> devices -- useful if you lose or temporarily misplace one of them. >>> >> Authy will also work as a Chrome App -- just make sure that you only >>> >> put it on devices that you can keep secure. >>> >> >>> >> https://hackertarget.com/ssh-two-factor-google-authenticator/ >>> >> >>> >> On Tue, Aug 24, 2021 at 6:09 AM Michael L <[email protected]> >>> wrote: >>> >> > >>> >> > I have a couple of sensitive logins which I need to keep secure >>> online and offline. I see multiple USB devices from about $10 and up. I >>> also see Google OpenSK and Predator DIY results. >>> >> > >>> >> > Does anyone have a recommendation? >>> >> > Thanks everyone >>> >> > >>> >> > -- >>> >> > -- >>> >> > You received this message because you are subscribed to the Google >>> Groups "NLUG" group. >>> >> > To post to this group, send email to [email protected] >>> >> > To unsubscribe from this group, send email to >>> [email protected] >>> >> > For more options, visit this group at >>> http://groups.google.com/group/nlug-talk?hl=en >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> Groups "NLUG" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> >> > To view this discussion on the web visit >>> https://groups.google.com/d/msgid/nlug-talk/CALdmzXZM9KizB9jj6mgORek5W6NAQ%2BF3-fJ%3Dc04ov%3DNJAiD0wg%40mail.gmail.com >>> . >>> >> >>> >> >>> >> >>> >> -- >>> >> Tilghman >>> >> >>> >> -- >>> >> -- >>> >> You received this message because you are subscribed to the Google >>> Groups "NLUG" group. >>> >> To post to this group, send email to [email protected] >>> >> To unsubscribe from this group, send email to >>> [email protected] >>> >> For more options, visit this group at >>> http://groups.google.com/group/nlug-talk?hl=en >>> >> >>> >> --- >>> >> You received this message because you are subscribed to the Google >>> Groups "NLUG" group. >>> >> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/nlug-talk/CAHPkZcUKJeOsCzFRP1sVJ5kcVoSxech68NJmpvvb_hS_EsXnsw%40mail.gmail.com >>> . >>> > >>> > -- >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups "NLUG" group. >>> > To post to this group, send email to [email protected] >>> > To unsubscribe from this group, send email to >>> [email protected] >>> > For more options, visit this group at >>> http://groups.google.com/group/nlug-talk?hl=en >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups "NLUG" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> > To view this discussion on the web visit >>> https://groups.google.com/d/msgid/nlug-talk/CALdmzXY3mqhw4W8CO%3D9c5vjEumuoYxvE6A4L3tiQ4704o1h5pQ%40mail.gmail.com >>> . >>> >>> >>> >>> -- >>> Tilghman >>> >>> -- >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "NLUG" group. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> [email protected] >>> For more options, visit this group at >>> http://groups.google.com/group/nlug-talk?hl=en >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "NLUG" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/nlug-talk/CAHPkZcUgcpuReTjv9rg%2B5EMPcT3wNyodWQo5paxqo47fQ5xgcQ%40mail.gmail.com >>> . >>> >> -- >> -- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/nlug-talk/CAL9PgS1FESoMxXfb-e8Jdg8RqzG9yHyh%2BOwrSWr4WyKk_w8w_Q%40mail.gmail.com >> <https://groups.google.com/d/msgid/nlug-talk/CAL9PgS1FESoMxXfb-e8Jdg8RqzG9yHyh%2BOwrSWr4WyKk_w8w_Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/CA%2B6_KC8etEXfbhAPxKR89zDd1k7GdMgVp0_Xn8Do81Fgc%3Dj%3DUg%40mail.gmail.com > <https://groups.google.com/d/msgid/nlug-talk/CA%2B6_KC8etEXfbhAPxKR89zDd1k7GdMgVp0_Xn8Do81Fgc%3Dj%3DUg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CALdmzXbPRGoQY75eUy0Go55cpTSajF7FXnQvR1Uu%3DtRNASXL%3DQ%40mail.gmail.com.
