| Nits: - Model: Ideal device is 5C. - GPG: S key should not also be C. The point is the C key should be the root of S, E, and A so they can be expired, revoked, and rolled individually. - NFC: Disable it or don't buy it. It's a wide attack surface. USB-C works with iPads and Android devices, iPhones <= 14 with an adapter, and iPhone >= 15. - Backup & recovery: Contrary to YK doc, there are too many issues with multiple card-generated YK secrets and identifiers for practical use. Create an identical device (apart from card no) with a 2nd YK kept offsite in secure physical storage by loading secrets to both rather than generating them on-card. It's possible to do so securely on a trusted machine (say running Tails or Qubes OS on a physical new machine without internet). - Reset PIN: It's foolish to not create one. - FIDO2: Setup your own (deprecated but still works) private, firewalled behind NAT server from https://developers.yubico.com/u2fval/ - Linux and Mac workstations: Setup gpg-agent ssh-agent compatibility instead of the PIV method because it doesn't require their custom PKCS#11 module with an unproven security track record. And update the firmware with the Yubikey Manager app. |