[talkingtab]

I am probably wrong, but I think Fido2 keys should be ubiquitous. They provide a hardened solution for some security situations, certainly they could be a good 2nd factor or 3rd, and hopefully they could reduce the password madness we have. Yubico appears focused on the enterprise and high end users resulting in higher prices. Solokeys seems more focused on individual users with lower prices.

Disclaimer I have two Yubico keys, and two Solokeys and they all work for me, but I don't need the extra functionality of the more expensive Yubico keys.

[_8j50]

They offer more security so what you say is true,but there is always a cost-benefit calculation to be had. They solve the human user authentication problem really well,but they do have a cost of ownership significantly higher than just passwords or even software authenticators.

You have to keep in mind that attackers want passwords to get access to some resource,not to just collect your password. Evem with a yubikey, an attacker can still get access to session/auth cookies post authentication to get access to a desired resource.

If the cost makes sense to you, they are the best way to do it,but if not there is no shame in other sane factors of authentication like TOTP or software attested webauthn.

I would restate what you said and say FIDO2 and/or WebAuthn need to be ubiqutous. It should be easy for some random guy working on ASP.NET site or something to support them.

right now even if you have it ,you can login to a handful of sites and that's it. For companies,they need to do SSO for everything with a yubi if they go that route.

[dangerface]

A solokey is $20 I wouldn't call that significant especially in comparison to the cost of losing your email, bank, steam account etc.

[_8j50]

You're talking about purchasing cost, there is additional cost as well. Who supports it,how much more does it cost to support. How easily can you issue new yubikeys,what is the cost of that delay? Do you still keep passwords or hope people keep their yubi's in a secure place?

Business cost example: some important guy is making a business deal but he lost/forgot his credential and can't login to show a presentation. If that credential is a password or TOTP key, he calls helpdesk and gets it sorted out. But if it is a FIDO key and they are on the other side of the planet (or a city close by where you have no support staff) that can humiliate not just the person but your whole company. Are hackers a bigger risk than a guy losing his yubikey? Depends on who you are and what you do. There are even more subtle costs like people forgeting their yubi at work/home and losing man hours for when they have to retrieve it. Malicious insiders swiping a fido key to do harm because of how much trust a session authenticated with a fido key has,etc...

[raxxorrax]

Agreed, the solution is pretty good. But honestly, I also have a yubikey and hardly ever use it aside from company stuff related password safes.

Aside from the bad form factor (nope, usb "top" isn't necessarily device "top"), it really requires a conscious effort to use them.

That said, theoretically they are awesome.

[pooloo1]

Don't get me wrong I love the idea of physical/hardware security; however, isn't the reason it is so effective right now because it is not mainstream?

[brazzy]

No. It's more effective because it's fundamentally more secure.

[tptacek]

Go on...?

[pooloo1]

Having a few vaults with security guards is a great deterrence as the reward is little for the high risk. Having many vaults with security guards draws a bit more attention...

[rsnor]

I’m having trouble understanding what you’re saying.

You’d think we’d be better off even with the higher attention, were it to exist, because the level of attention going into making FIDO2 as secure as possible would scale with its userbase. Same with any other security solution being implemented.