Hacker News new | ask | show | jobs
by jfim 2889 days ago
The NEO is pretty nice, especially when combined with the Yubico authenticator app for TOTP codes.

One issue with the authenticator apps (eg. Google authenticator) is that if you reset your phone, you lose all your secrets and need to reset 2FA for all your accounts. With the Yubico authenticator, the secret is stored in the key and the phone only gives a time signal and authenticates to the key over NFC. The app is also available for desktops, making it pretty easy to use 2FA without having your phone.

The NEO is older unfortunately, so it's only available in USB A form factor and has weaker crypto than newer Yubikeys (2048 bit vs 4096, iirc) for private keys stored in it if you're planning to use GPG (for email encryption or signing git commits). In practice, that's not a real limitation.

However, it also does not support signing Docker images, which is unfortunate.
2 comments
jbronn 2889 days ago
When you use encrypted backups on iOS, Google Authenticator maintains its state and there's no need to reset 2FA. I'm sure there are similar mechanisms for Android.
link
jfim 2889 days ago
There might be nowadays, I remember it didn't work for me when migrating between two Nexus phones (4 to 5X iirc) a couple of years ago.
link
michaelmior 2889 days ago
I didn't realize that the Neo was so outdated. I wonder why 2FA with NFC hasn't caught on more.
link
jfim 2889 days ago
No idea, since the NFC was actually pretty convenient. Considering the Yubico authenticator has a relatively small amount of downloads on the play store (50k), I'm guessing that feature wasn't used that much.

If you're thinking of getting the USB C versions of Yubikeys and using them with your phone, it does work but since the Yubikey appears as a keyboard, it disables the Android keyboard while it's plugged in. If I remember correctly, U2F support on Android also requires installing the Google authenticator app even though you might not store any codes in it.

You'd think it would be easier to have these things working.

link
michaelmior 2888 days ago
Interesting. Didn't realize you could use that with Android. Sounds like the YubiKey 4C may be the best option for me since it looks like I could plug it directly into my phone and laptop.

Edit

Perhaps not as it seems it doesn't work with 2FA in Chrome. https://forum.yubico.com/viewtopic31fc.html?f=35&t=2798

link