Hacker News new | ask | show | jobs
by guerby 170 days ago
I bought several "Security Key NFC by Yubico": their cheapest model, no storage or fancy stuff.

My personal strategy is to use keys generated this way:

ssh-keygen -t ed25519-sk

Rules:

- A generated key never leave the machine it was generated on.

- ssh agent is never used

- ProxyJump in HOME/.ssh/config or -J to have convenient access to all my servers.

- DynamicForward and firefox with foxyproxy extension to access various things in the remote network from my local machine (IPMI, internal services, IoT, ...)

- On the web no passkey, only simple 2FA webauthn.

My understanding is that more features including "storage" means more attack surface so by avoiding it you're 1/ more secure 2/ it's cheaper.

White paper on passkey says their security is equal to the security of the OS (Microsoft Windows ...) so I avoid passkeys.
1 comments
PunchyHamster 170 days ago
The more expensive one works as smart card so you can both generate and keep the key as hardware only. Works for SSH and GPG too
link
smileybarry 169 days ago
The generated FIDO keys with "[...]-sk" are hardware-only too, the "key" you load is only an "identifier" associating the onboard passkey, allowing you to add it on multiple computers but still requiring the FIDO key present to use[1]:

> ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them.

> [...]

> This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used.

IMO the baseline Security Key ($20) series is now enough, unless your setup uses PGP, legacy SSH that doesn't support these key types, or if you're using a real certificate for e.g. code signing.

1: https://www.openssh.org/txt/release-8.2#:~:text=The%20privat...

link