[conspire] (forw) Re: [kwlug-disc] Yubi key

Rick Moen rick at linuxmafia.com
Tue Oct 25 14:48:47 PDT 2022 

(No relation.)

Yeah, about YubiKey and all those thou-shalt-nots:  Screw that.

As noted in the thread, Google keeps pushing to eliminate passwords for
various Web services in favour of some extremely complex and
overengineered two-factor authentication thing
(https://en.wikipedia.org/wiki/WebAuthn) that is problematic
for existing open-source infrastructure.


----- Forwarded message from Doug Moen <doug at moens.org> -----

Date: Tue, 25 Oct 2022 11:42:35 -0400
From: Doug Moen <doug at moens.org>
To: KWLUG Discuss <kwlug-disc at kwlug.org>
Subject: Re: [kwlug-disc] Yubi key

I started learning about Yubikeys.

I was in the checkout ready to buy two, when it asked me to assent to
the acceptable use policy. NOPE. It's not open source (I knew that
already), you can't reverse engineer it (wasn't planning to), you can't
test it against competing products and post a review (NO NO NO). I won't
sign an NDA to use their cursed product.

The open source alternatives to Yubikey are Nitrokey, Solokeys, Onlykey.

Nitrokey v3 USB-A+NFC looks like a solid alternative to the
corresponding Yubikey. I like Nitrokey as a company: they also sell the
NitroPhone, which is a Pixel phone with Graphene preinstalled, and they
also sell a plug-and-play box containing NextCloud. But shipping from
Germany is more expensive than the product. So nope. The v3 firmware is
written in Rust for security reasons, but this firmware was actually
created by Solokeys. Nitrokey and Solokeys refer to each other as
"partners", so I guess Nitrokey is contributing to the open source
firmware project.

Solokeys v2 USB-A+NFC looks like a solid alternative to the
corresponding Yubikey. The improvements from v1 are great enough that I
would want the v2 version, even though there may be a shipping delay as
they are still ramping up their manufacturing processes for this all new
design (much more robust and secure hardware, much better firmware,
written in Rust as I mentioned). Much cheaper since they are based in
the USA and shipping to Canada is cheap. The Solokeys reddit has much
more traffic than the Nitrokey reddit or the Onlykey reddit. This isn't
very important, but maybe there is more North American community
support.

Nitrokey and Solokeys support firmware updates, Yubikey doesn't. This is
for security reasons: the firmware is complex, so updates are provided
to patch security holes. Proprietary competitors like Yubikey etc can't
do this but they do have a history of product recalls (you must buy new
keys, register them with all your web sites, destroy the old keys). For
security reasons, the firmware is signed. If you want to hack the
Solokeys firmware, you can buy the "hacker" version, which doesn't
require signed firmware, but is less secure. I don't want this, but I
like that they offer this.

Onlykey is the original open source competitor to Yubikey. The Onlykey
has some unique features. There is a 6 digit PIN keypad directly on the
dongle for extra security. It can accept 3 different PINs: for two
different users, plus a code to wipe the device. It also works as a
password manager. I haven't researched the Onlykey as much as Nitrokey
or Solokeys, so I don't know if I like/trust the hardware and software
architecture.

I currently plan to get a pair of Solokeys. I like the product and the
company.

But, does it work with free software? Unfortunately, the free software I
use is still catching up to the new reality of security keys and
WebAuthn. Not sure I can switch to using security keys yet.

On GrapheneOS (derived from Android), the official Fido2 API is locked
up inside Google Play Services, and there's currently no free software
alternative that I can actually use. Firefox and Vanadium web browsers
support WebAuthn via Google Play Services, which is at least sandboxed
on GrapheneOS (no other FOSS Android variant has this sandboxing).
MicroG is getting Fido2 support, it's being tested but isn't useable
yet. So I can have this on Graphene today, and Graphene is currently the
best option, but installing the sandboxed Google Play Services is not
acceptable to me. There is no support in the Bromite web browser (which
is my current favourite on Android-ish OSes). Bromite will never use
Google Play Services for policy reasons. There is a GPL 3 implementation
of Fido 2, and there is user interest in modifying Bromite to use it,
but no developer wants to do the work of integrating the use of this
library into the Chromium code base and keeping it up to date. The
GrapheneOS team officially wants a free implementation of Fido2 in
Graphene, but the work hasn't been scheduled yet.

I only use Firefox and Ungoogled Chromium on Linux. Apparently, webauthn
works on Linux. I haven't researched this much.

I am interested in hearing other people's experiences.

Doug Moen.

On Mon, Feb 7, 2022, at 10:23 AM, Darren Pond wrote:
> The Yubi key appears to be an affordable option to regain control
> from Google dependant Ga 2fa.
> 
> Any one currently using the yubi 5 nf key. For purpose of android cell
> phone and kde linux cpu 2fa control. 
> 
> Do you use 2 one daily and second one off-site. Or simple record the "
> seed key" as backup option when the yubi goes missing or gets lost.
> Which in my world will happen at least once.
> 
> Do you use the yubi app/program on your linux cpu? Did it install as
> expected?
> 
> My primary line of defence is hard copy off site record keeping.
> Keeping that current/up to date. Requires self discipline.
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

_______________________________________________
kwlug-disc mailing list
To unsubscribe, send an email to kwlug-disc-leave at kwlug.org
with the subject "unsubscribe", or email
kwlug-disc-owner at kwlug.org to contact a human being.


----- End forwarded message -----

More information about the conspire mailing list