[kwlug-disc] Yubi key

Doug Moen doug at moens.org
Tue Oct 25 11:42:35 EDT 2022 

I started learning about Yubikeys.

I was in the checkout ready to buy two, when it asked me to assent to the acceptable use policy. NOPE. It's not open source (I knew that already), you can't reverse engineer it (wasn't planning to), you can't test it against competing products and post a review (NO NO NO). I won't sign an NDA to use their cursed product.

The open source alternatives to Yubikey are Nitrokey, Solokeys, Onlykey.

Nitrokey v3 USB-A+NFC looks like a solid alternative to the corresponding Yubikey. I like Nitrokey as a company: they also sell the NitroPhone, which is a Pixel phone with Graphene preinstalled, and they also sell a plug-and-play box containing NextCloud. But shipping from Germany is more expensive than the product. So nope. The v3 firmware is written in Rust for security reasons, but this firmware was actually created by Solokeys. Nitrokey and Solokeys refer to each other as "partners", so I guess Nitrokey is contributing to the open source firmware project.

Solokeys v2 USB-A+NFC looks like a solid alternative to the corresponding Yubikey. The improvements from v1 are great enough that I would want the v2 version, even though there may be a shipping delay as they are still ramping up their manufacturing processes for this all new design (much more robust and secure hardware, much better firmware, written in Rust as I mentioned). Much cheaper since they are based in the USA and shipping to Canada is cheap. The Solokeys reddit has much more traffic than the Nitrokey reddit or the Onlykey reddit. This isn't very important, but maybe there is more North American community support.

Nitrokey and Solokeys support firmware updates, Yubikey doesn't. This is for security reasons: the firmware is complex, so updates are provided to patch security holes. Proprietary competitors like Yubikey etc can't do this but they do have a history of product recalls (you must buy new keys, register them with all your web sites, destroy the old keys). For security reasons, the firmware is signed. If you want to hack the Solokeys firmware, you can buy the "hacker" version, which doesn't require signed firmware, but is less secure. I don't want this, but I like that they offer this.

Onlykey is the original open source competitor to Yubikey. The Onlykey has some unique features. There is a 6 digit PIN keypad directly on the dongle for extra security. It can accept 3 different PINs: for two different users, plus a code to wipe the device. It also works as a password manager. I haven't researched the Onlykey as much as Nitrokey or Solokeys, so I don't know if I like/trust the hardware and software architecture.

I currently plan to get a pair of Solokeys. I like the product and the company.

But, does it work with free software? Unfortunately, the free software I use is still catching up to the new reality of security keys and WebAuthn. Not sure I can switch to using security keys yet.

On GrapheneOS (derived from Android), the official Fido2 API is locked up inside Google Play Services, and there's currently no free software alternative that I can actually use. Firefox and Vanadium web browsers support WebAuthn via Google Play Services, which is at least sandboxed on GrapheneOS (no other FOSS Android variant has this sandboxing). MicroG is getting Fido2 support, it's being tested but isn't useable yet. So I can have this on Graphene today, and Graphene is currently the best option, but installing the sandboxed Google Play Services is not acceptable to me. There is no support in the Bromite web browser (which is my current favourite on Android-ish OSes). Bromite will never use Google Play Services for policy reasons. There is a GPL 3 implementation of Fido 2, and there is user interest in modifying Bromite to use it, but no developer wants to do the work of integrating the use of this library into the Chromium code base and keeping it up to date. The GrapheneOS team officially wants a free implementation of Fido2 in Graphene, but the work hasn't been scheduled yet.

I only use Firefox and Ungoogled Chromium on Linux. Apparently, webauthn works on Linux. I haven't researched this much.

I am interested in hearing other people's experiences.

Doug Moen.

On Mon, Feb 7, 2022, at 10:23 AM, Darren Pond wrote:
> The Yubi key appears to be an affordable option to regain  control from Google dependant Ga 2fa.
> 
> Any one currently using the yubi 5 nf key. For purpose of android cell phone and kde linux cpu 2fa control. 
> 
> Do you use 2 one daily and second one off-site. Or simple record the " seed key" as backup option when the yubi goes missing or gets lost. Which in my world will happen at least once.
> 
> 
> Do you use the yubi app/program on your linux cpu? Did it install as expected?
> 
> My primary line of defence is hard copy off site record keeping. Keeping that current/up to date. Requires self discipline.
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20221025/a9bb31d4/attachment.htm>

More information about the kwlug-disc mailing list