Ask HN: Who else is uncomfortable with hardware 2FA for personal use?

[aunterste]

I just 'aborted' my Yubikey purchase again as I started to think through how many I would need to buy and where to leave them to be sure I always have access, even if my house burns down and/or the hardware key breaks, one gets lost etc.

I think hardware 2FA is great in a corporate environment where there is an administrator that can enable/disable accounts and issue a new HW key if required.

For personal accounts though, I somehow feel uneasy about reliance on a small piece(s) of HW. Having a great password manager, lots of 2FA (with TOTP, where I own and back-up the secrets) and have all of that secured with a cloud backup with a super strong password that I don't know or have to write down, but can recreate if need be (e.g. an MD-5 hash of a specific segment of a public text).

Too much? Anyone else has the same concerns or am I missing something?

[saltcured]

I have a pretty conservative (paranoid?) security posture, where I do not want any banking app or any ability to initiate or confirm financial transactions via my smartphone. I don't even use non-free apps because I refuse to have a credit card associated with my phone and its app store.

I also don't like the idea of many sites/services trying to roll their own 2FA and introducing custom phone apps. I frankly do not trust most vendors to design nor write secure software. I want an interoperable standard so I can choose a trusted authenticator and enroll it with as many different services as I need. I want to use such sites with my desktop/laptop browser and like the idea of 2FA login or transaction approvals to limit the chances of unauthorized use.

I don't mind using the phone as a 2FA token, but I want to have extra tokens as backup in case the phone is lost or damaged. The yubikey seemed attractive in that way, but support is not as good nor widespread as I would need.

I discovered absurd things like a bank allowing multiple tokens to be enrolled, but automatically expiring them if I don't use them frequently. This blocks the idea of enrolling a backup token to store safely offline.

I also want to disable any SMS/phone call/email mechanism to do account recovery by sending secrets through an insecure channel. Otherwise, the 2FA tokens are mostly useless security theater. But, for most things I would care about personally, this is not offered even if you enroll multiple tokens.

[jqpabc123]

For personal accounts though, I somehow feel uneasy about reliance on a small piece(s) of HW.

Most people already have a small piece of hardware called a phone that can be applied to the same effect.

Free/open source TOTP apps are readily available for both iOS and Android. This isn't rocket science, it's a simple SHA hash that either works or it doesn't.

What if you lose your phone? Remember --- this is 2FA so you need more than my phone to access my accounts. My TOTP app is password protected and I have a backup of the keys so I can easily transfer to another phone or use a desktop app to access my accounts.

What happens if you lose your hardware key? Perfect security does not exist.

[aunterste]

I think that's my point though, I can easily lose my phone, no harm done if one has the seed-values for the TOTPs and they are protected on the phone.

It's not so much asking for 'perfect' security - I agree, that doesn't exist.

But do HW security tokens create a probability of a hard lock-out that outweighs the security/convenience they provide.

[jqpabc123]

But do HW security tokens create a probability of a hard lock-out that outweighs the security/convenience they provide.

If you lose your key, you're locked out --- simple as that.

About the only reasonable way to create a backup is by buying/using/registering multiple keys. But at $40+ each, the cost adds up quickly.

It is hard to beat your phone for overall convenience. My phone is always with me and with my TOTP keys backed up to secure on-line storage, I can easily restore these to another device if/when needed and continue with only a minor hesitation. For most people, this is the most convenient/least expensive/best all around solution IMO.

[joshenders]

I purchased three keys for each family member for Christmas. They’re not the most technically savvy and it hasn’t been an issue for them at all.

(One is on their keychain with an AirTag, one is stored securely in their home. One is stored offsite.)

Every site I’ve registered them with has allowed me to register all three keys. Nobody has lost a key yet (thanks AirTag) but it wouldn’t be a huge ordeal if they did. Just delete that key from their services and use a backup.

[nimih]

You should really start by thinking through your so-called "threat model": what are the things you're actually trying to protect against, and what risks are you comfortable with? There's never going to be a perfectly secure solution, so you should really be trying to enumerate and assess the trade-offs you're making and whether they're worth it.

Speaking personally, I feel like my primary concerns are:

- ease of use (if something is a pain in the ass, I've found I won't use it in practice, in spite of what I know is in my best interest)

- credential stuffing/data breaches

- phishing

- getting locked out of my accounts due to losing my credentials

In particular, I think that, although a password manager plus any sort of 2FA mitigates credential stuffing concerns pretty well, HW 2FA is probably more effective against phishing compared to a TOTP app or email 2FA[1]. Purchasing a single backup key that I have a trusted family member hold on to, plus printing out recovery codes and storing them in the same place I keep other important personal documents (passport, birth certificate), is for me is a pretty reasonable hedge against lost credentials[2]. I also personally find HW 2FA to be much more convenient than TOTP authenticator apps in general[3]. Thus, I use a hardware 2FA token (at least for "important" accounts) and sleep pretty soundly at night, but that's very much the result of my own specific concerns, preferences, and priorities.

[1] A hardware key is able to validate the domain directly and mainly relies on the browser not fucking up[1a], whereas SMS/email/TOTP tokens require the user to evaluate the authenticity of the form they're filling out. Obviously there's some subtlety here, since a PW manager browser extension can also do domain validation, but at the end of the day, I think there's some non-trivial benefit to using a HW token.

[1a] Chrome's WebUSB API is an interesting case study here.

[2] I actually lost my primary HW token earlier this year, and so got the opportunity to test out my recovery plan. Having done so, I'd recommend anyone who depends on HW tokens to go through a similar exercise (preferably simulated, rather than "for real"), if nothing else than to get some very satisfying peace of mind.

[3] I suspect this is not a universally held opinion.

[raxxorraxor]

I mostly use a prefix generated from the name of the service + the yubikey button to paste the rest. If my key would fail I still have pwd reset options and I keep a copy of it in a password safe. That said, the dongle is a few years old and it still seems to work just fine while being subjected to mechanical strain from other keys.

I dislike any form of 2FA with my phone involved. Low battery, low privacy, phones just generally suck if they are involved in security. I would even prefer the old SMS while being staunchly aware that and code will be send in free text.

Still better than some shitty random app from the shitty app store.

I would be careful about a hash of a public text. I certainly would at least XOR it with secret value, even if its appearance in rainbow tables is very unlikely.

[travisporter]

Slightly related, I paid for and use the OTP auth app on ios which syncs via icloud. I just wish I had an old-school hardware token that would sync with it (like this https://www.token2.com/shop/product/token2-molto-1-i-multi-p...)

[shaftway]

I would never use a hardware 2FA on any service with no other way in. But that doesn't make them not-valuable. For me the ideal setup is a service that offers a SMS verification code or a 2FA token. The 2FA is far more convenient for me, but if I don't have it the SMS is there as a backup and I can get in to unregister or register a new 2FA token.

[unstatusthequo]

I’d rethink SMS as a secure authentication vector. Too easy for SIMjacking to happen.

[aborsy]

I am uncomfortable from another direction. Yubikey is closed source. It could contain a vulnerability or backdoor that allows extraction of secrets whenever connected (without PIN or password).

What are the chances?

[h2odragon]

Do you really need that much security? What is it you're securing, exactly? Neither my cookie recipe nor the extensive collection of h0rse is worth a great deal of effort to deny others access; I don't have need for obtrusive security measures.

If you do have secrets that are valuable enough to justify the effort; have you really put in the effort to secure them? Or have you got multifactor authentication and fancy encryption happening on a system that's physically available to anybody from the janitorial services company all night? The equivalent of a big impressive vault door standing alone without walls around it.