Securitykey - My review
Created: 17th October 2022 - Updated: 26th January 2023
In every situation, i want to up my security a little higher all the time.
This time i found out about Yubikeys, but did not buy before Cloudflare gave away keys for a discounted price.
My experience and info
I have now had them for a few weeks, and can see now that im going to continue using Yubikeys beacuse its more secure, but also makes login faster than TOTP or APP-confirmation.
Some of the services also have some red flags when using Securitykeys.
Some requires a less-secure factor to be set, but in my eyes, this then lowers the security to the weakest factor in the mix.
Take Protonmail as an example, it requires TOTP as a factor when having Securitykeys, then the security-bar is set to the height of TOTP and not the Securitykey, lack of security in my eyes.
Microsoft is also lacking when they require Email or SMS as fallback, i can see from their perspective that you will NEED a non-key factor to login to services from them without having a windows machine, but Email or SMS? No thanks.
If i want to have security-key only auth, then give me the option
If i need to accept warnings and sign-in problems, then okay, BUT GIVE ME THE OPTION.
Some requires FIDO-PIN to be set, some does not.
FIDO-PIN is set either through the Yubikey manager, or when registering the key to a service that requires FIDO-PIN.
If you forget the PIN, then you will not be able to login to websites you have enrolled your key to (Where PIN is required)
If you want to reset this PIN; THEN ALL FIDO LOGINS WILL BE LOST FOR THIS KEY (INCLUDING NON-PIN)
I have gathered and documented the services that i use that support Yubikeys, but also the ones that supports the use of Android or Mac as securitykey as well. And what services that requires FIDO-PIN to be set.
I have in this table opted to only use FIDO/U2F 2-factor options and not OTP options.
|Site||Yubikey Support||Android-Key Support||Mac-Key Support||Red Flags|
|1Password||TOTP required as fallback|
|Apple||PIN required||Needs iPhone, iPad or Mac to setup or change key settings.
Sign in on Apple Watch, Apple TV, or HomePod requires a iPhone or iPad
|Dropbox||SMS or TOTP required as fallback|
|Ebay||PIN required||SMS or APP required as fallback, 1 key only|
|Github||TOTP or SMS required as fallback|
|Microsoft (Personal)||PIN required||Login to Desktop apps is not possible on non-Windows machines,
2 fallback options required (Email or SMS).
|Microsoft (Azure AD)||PIN required||Login to Desktop apps is not possible on non-Windows machines|
|OVH||Requires setup with legacy U2F, this does not work on chromium based browsers|
|Paypal||Buggy setup, Other Method required, 1 key only|
|Protonmail||TOTP required as fallback|
|Wordpress||PIN required||TOTP or SMS required as fallback|