Hacker News new | ask | show | jobs
by superuser2 3816 days ago
Hardware tokens are general purpose computers that have been locked down to the vendor's walled gardens. Yubikey is a JavaCard (in USB stick form factor) running some closed-source applets. There is a key that would allow you to load your own applets onto it but Yubico won't tell you what it is.

From a software freedom perspective, hardware tokens/smart cards are no better than smartphones.
1 comments
Freak_NL 3816 days ago
There is a crucial difference here. With FIDO U2F I am not limited to Yubico's offerings; there are other vendors. FIDO U2F devices can be manufactured by any company (and are).

I agree that the ideal situation would be a device that is completely under the control of the user, but compared to IOS or Android, a hardware token that only does what it is supposed to do (in the case of the U2F tokens; register and sign authentication requests), and cannot be modified by the manufacturer after sale is very much preferable.

link
superuser2 3816 days ago
That's not a difference. You are also free to choose among many different smartphone manufacturers and OSes, all of which are capable of running a TOTP app.
link