Yubico Key with NFC

Everywhere I look people are being scammed, friends family, reading it daily in the news…

Even though I am a good 1password user and use 2FA, I am thinking of buying a yubico key with NFC.
Has anyone any experience ? Is this overkill ? am I being paranoid.

Good write-up of some of the issues on the Mac/iOS side: https://arstechnica.com/information-technology/2020/07/apple-has-finally-embraced-key-based-2fa-so-should-you/

1 Like

That’s a good article. I wasn’t aware of the support added this year.

Generally, while I think the move to hardware keys is a good one, you only need to take that step if you don’t trust your 2FA code app, or don’t trust yourself or others on the account to not inappropriately give out the code. A secure 2FA app on a phone can’t be intercepted without gaining physical access to the device, unlike SMS.

Yes, I’ve been doing this for a few years now. Well, not the NFC ones, but Yubico in general.

Maybe? If you’re already using 2FA, I’m not sure that you get a whole lot from a physical security key, unless you are willing to go to extremes that most people won’t want to go to.

As far as I have seen in any of the places that support security keys:

  1. If you don’t also use a 2FA app like Google Authenticator, Authy, 1Password, then you are relying on this one physical device to allow you access to your accounts. Which means that you need at least two of them, because what are you doing to do if you lose it or it just stops working for no explicable reason? You need a backup. One is none.

  2. I’m not even sure that you can use only a security key without some other 2FA, either an app, or backup codes, etc.

  3. So what you are doing, in reality, is saying “This security key is my primary way of authenticating to your 2FA challenge system, but if I don’t have my key, I can still use one of those fallback methods, such as one of the authenticator apps.”

If you wanted to go hardcore and go physical security key only for some account, make sure that you know how good their customer support is, and what the procedure would be if you lose your device. Is there another way to prove who you are, or are you just locked out of your account forever?

I certainly wouldn’t put a regular Gmail account solely behind a security key without another alternative, because good luck getting someone to help you with that mess.

I can tell you how to get $100 worth of value for a $50 purchase.

If you understand the limitations but are still interested

Go to Ars Technica Store and sign up for their “Ars Pro ++ : $50/year” plan, and you will be able to get a “free” Yubico key, including the NFC one, which costs $50. So your getting two things that usually cost $50/each, but you’ve only paid $50. That’s a pretty good deal, and if you’re a MPU user, Ars Technica should be on your list of sites that you read, IMO.

1 Like

My advice about this kind of thing in general is that if you cannot describe very specifically what risk you’re trying to mitigate with a security control, how likely that risk will result in an incident of concern for you, what the risks of applying that control are, how much the control costs to apply, and how to deal with a failure of the control, then you’re likely not ready to (or needing to) apply it. Once you understand those things, you’ll be in a much better place to decide if this is something that you need.

Example: You say you’re worried about being scammed. MFA is a good control to use when password compromise is a likely threat event. However, it’s far less useful to combat phishing scams. To further muddy the waters, some kinds of MFA (SMS based, for example) can actually weaken security under some circumstances.

It’s complicated :slight_smile: