Security Keys (15 characters)

I am the only one who works on my MacBook. I don’t do any business on my devices, 2FA, Touch ID, I log out every time I leave the house, etc… and yet, the Geek Within Me really wants to buy some kind of FIDO device. Oh, so expensive. Do I really need them? Anyone have user experience and/or inexpensive recommendations?

Look, just put on the goggles and look straight ahead and don’t ask any questions, ok? haha

1 Like

Really doesn’t sound like a FIDO device is something that you’d need. And you’d intentionally be making your computer more inconvenient to use. Do what you like, but I’d advise against it.

Sounds like you don’t need one, but they’re definitely fun.

My recommendation is expensive; I can’t speak to other brands:

  • Yubikey 5C Nano to keep plugged into your Macbook, assuming it has USB-C ports
  • Yubikey 5C NFC for your phone/travel
  • Yubikey 5C NFC for your offsite backup

There are periodic sales that’ll bring the cost down. It’s too bad you missed the Cloudflare promotion; you could’ve gotten these for about $50 total. :frowning:

1 Like

Why do you not just use the Vault on your system?!

HA! The Steve Jobs Reality Distortion Field in full effect!

1 Like

Not sure what you are to what you are referring. I have everything locked down six ways til sundown already… file vault, touch id, etc… the keys just look… fun, as @cornchip said…

I vaguely recall trying to get the Cloudflare deal… I don’t think I qualified (or something)

Yes, I am talking about FileVault.
All of those fancy 007 FIDO devices have a severe Weak point: The User…!

Are you a doctor? Lawyer?, CPA? Do you have sensitive client files on your computer? Nuclear launch codes? Or are you like most people and the most sensitive data you have is something like your tax returns?

If you are using FileVault and have a reasonably long password, that I can’t guess by Googling you, then you are pretty secure. If your sensitive data is stored in something like 1Password or in encrypted DMG files then, IMO, you are golden.

When we make security more complicated than necessary we risk losing our data. And besides, most of the information people try to keep private is already known to someone.

1 Like

Security keys are really neat and they can take your security up a notch, but the place to start is with a risk analysis to determine a threat model and then implement security best practices from there. One thing to keep in mind is that attackers, who only need to find one weakness to gain access, have the advantage over defenders. Another other truism is that security is a process and not a product.

For example I have family and friends who are activists in the human rights and environmental / animal rights movements and their threat models include a wide range of corporate and governmental surveillance. This includes using security keys and encrypted services to attempt to mitigate those risks as best they can.

Not the sort of thing that most folks need to worry about.

All that said, my employer requires security keys for those of us who have admin access to various cloud services. I also use them in my personal life as an additional MFA method with services which support them in addition to codes, such as Fastmail. Do I need to to? Not really, but having multiple MFA options does provide some peace of mind. YMMV.

Thanks, all… this is strictly an “ooh, look… shiny” situation… and given the price, I think I will pass…