
Ask HN: Alternatives to Yubikey? - eekthecat
I haven&#x27;t had a good experiencing with Yubikey&#x27;s support and sales team and I&#x27;m looking for an alternative.<p>What other keys are people actively using?<p>I&#x27;m interested in something with equivalent features to the Yubikey 4 (NFC not required, U2F mandatory).
======
j_s
This came up last week on the OpenPGP discussion; here's a re-post -- no one
else has mentioned the sc4-hsm yet.
[https://news.ycombinator.com/item?id=14495213](https://news.ycombinator.com/item?id=14495213)

Open source (-ish?) Yubikey alternatives

[https://sc4.us/hsm/](https://sc4.us/hsm/) $75 |
[https://news.ycombinator.com/item?id=12053181](https://news.ycombinator.com/item?id=12053181)

[https://trezor.io/](https://trezor.io/) $99 |
[https://news.ycombinator.com/item?id=10795087](https://news.ycombinator.com/item?id=10795087)
(not much on HN)

[https://www.floss-shop.de/en/security-
privacy/smartcards/13/...](https://www.floss-shop.de/en/security-
privacy/smartcards/13/openpgp-smart-card-v2.1) €16.40 (OpenPGP Smart Card
v2.1; 4096-bit keys)

[https://www.fidesmo.com/fidesmo/about/privacy-
card/](https://www.fidesmo.com/fidesmo/about/privacy-card/) €15 (NFC only;
recommended by the terminated SIGILANCE OpenPGP Smart Card project; 2048-bit
keys)

~~~
noja
Fixed link: [https://www.floss-shop.de/en/security-
privacy/smartcards/13/...](https://www.floss-shop.de/en/security-
privacy/smartcards/13/openpgp-smart-card-v2.1)

------
tptacek
It's worth considering: almost nobody who uses Yubikeys loves them, but they
are by a wide margin the tokens experts recommend most.

~~~
dkhenry
I use my yubikey and I love it. I have it set up to do GPG, SSH, TOTP, and U2F
and it works great. It is worlds better then any other Smart Card or second
factor out there, and U2F is literally just plug it in and tap it.

~~~
atmosx
Is there any sort of backup in case it gets destroyed or lost? Can you clone
it?

~~~
tptacek
The entire security model depends on the devices being uncloneable.

~~~
noja
But my security model does not allow putting myself in a position where I am
stranded without my second factor (or doing huge amounts of work re-
registering everything).

~~~
tptacek
That's why you set up backup factors.

It is for the same reason that services like Google Mail won't let you set up
a U2F token without a backup factor.

------
cafogleman
I recommend the OnlyKey: [https://www.amazon.com/OnlyKey-Color-Password-
Manager-Obsole...](https://www.amazon.com/OnlyKey-Color-Password-Manager-
Obsolete/dp/B06Y1CSRZX)

The device uses strong encryption (where legal), and goes beyond U2F to
include password management, certificate storage, OTP/Google Auth, and
plausible deniability. The hardware is teensy-based, and the firmware is open
source. The devs have released fairly regular updates, and even encourage
hacking on it to meet custom needs.

~~~
voidz
Does not ship to the Netherlands... Meh!

~~~
cafogleman
They have an international version that does not ship with encryption of the
data stored on the device, to deal with the various laws around encryption in
other countries. However, there's no hardware difference, and since it's all
open-source, there's nothing stopping you from loading the "US" firmware on
the "International" version.

More info at their site: [https://crp.to/](https://crp.to/)

~~~
voidz
Perfect. Thank you!

------
wslh
Trezor? [https://blog.trezor.io/secure-two-factor-authentication-
with...](https://blog.trezor.io/secure-two-factor-authentication-with-
trezor-u2f-e940fd5a60af)

It is also hackable: [https://doc.satoshilabs.com/trezor-
tech/resources.html](https://doc.satoshilabs.com/trezor-tech/resources.html)

~~~
anonova
Another hardware wallet that supports FIDO/U2F is the Ledger Nano S:
[https://www.ledgerwallet.com/products/ledger-
nano-s](https://www.ledgerwallet.com/products/ledger-nano-s)

The downside of this and the Trezor is that you need a cable to connect it to
a device.

------
captainmuon
While we're at it, is there one that:

\- Lets me store certificates and PGP keys

\- Has two factor authentication (U2F)

\- Has open hard and software (source-available)

Basically, a USB pen drive that allows U2F, and is can be made read only
(either by a switch or only writable over a special interface). I don't really
need tamper-resistance, pre-generated keys, smart cards or any other advanced
features.

~~~
epistasis
The difficulty with PGP keys, is that the most common implementation, GPG,
wants complete control of the device and does not let it be shared so that
other interfaces, like PKCS# can be used. So if you want something for both
GPG and other purposes, it really needs to present as two separate devices, or
you need to go hacking a branch of GPG. When I looked into doing this, it
seemed that upstream would not be interested in interoperation with other
smart card standards, so it may not get accepted into upstream.

At least that was my experience. If somedbody can correct me, I'd be
incredibly grateful.

~~~
roman_zeyde
I can suggest using TREZOR and Ledger Nano S hardware devices for common GnuPG
operations, e.g. signatures and decryption.

Please take a look at [https://github.com/romanz/trezor-
agent/blob/master/README-GP...](https://github.com/romanz/trezor-
agent/blob/master/README-GPG.md) for more details.

Disclosure: I am the main developer of this project.

------
dsl
NitroKey ([https://www.nitrokey.com/](https://www.nitrokey.com/)) is the non-
crappy version of YubiKey.

~~~
dchest
I have two of their U2F and if the OP's problem is sales and support, I'm not
really sure Nitrokey are without issues as well:

1) Ordered 2, received 1. Thankfully, support quickly sent the second one once
I wrote to them.

2) Now they only work when I plug something else to another port to my Mac (no
such problem with Yubikey). No reply since April 29:
[https://support.nitrokey.com/t/nitrokey-u2f-issues-in-
macos-...](https://support.nitrokey.com/t/nitrokey-u2f-issues-in-
macos-10-12-4/444)

Edit: I now noticed they have a different U2F version — the previous one was a
card that you fold to make it into a USB dongle.

~~~
jans23
Feedback from Nitrokey (I'm working with them):

1) We are changing our warehouse process, adding a technical QA step, so that
such mistakes won't happen anymore. Sorry for the trouble.

2) As you noticed, the former U2F is going to be replaced by a new FIDO U2F
device which contains a full USB plug for better reliability, is more durable
and has a touch button.

~~~
dchest
Great, thank you!

------
graystevens
Here are a list that someone has collated -
[http://www.dongleauth.info/dongles/](http://www.dongleauth.info/dongles/)

The alternative to Yubikey that I am aware of is NitroKey, but can't say I am
aware of how they match up, feature for feature

------
lisper
[https://sc4.us/hsm](https://sc4.us/hsm)

It's fully open-source, but the only standard application currently supported
is U2F.

Disclosure: this is my product.

~~~
chaz6
FYI your website is blocked by my work proxy:-

Access Denied (content_filter_denied)

Your request was denied because of its content categorization: "Placeholders"

~~~
lisper
Very sorry about that, but I have no idea what I can do about it. The page is
not a placeholder. It's a very generic Bootstrap page with real content.

------
debatem1
I've given up on yubikey at this point. I love the form factor, but it was
easier in the end to build a different second factor infrastructure than it
was to deal with the company.

I've been toying with the idea of building an open source replacement and
fabbing it with a shuttle service but ultimately the cost is really too high
to justify.

------
2bluesc
What was you issue with support?

I've had 2 Yubikeys replaced at their cost after published security exploits
highlighted shortcomings. Also haven't had one fail on me yet. Would be
curious to learn what your experience was.

~~~
eekthecat
They are unresponsive for really simple questions (email/Twitter). Their local
reseller is not interested in non-business sales.

~~~
thehigherlife
What are you hoping to do with yubikey / what was your question?

------
rbjorklin
The DIY open source alternative: [https://u2fzero.com/](https://u2fzero.com/)

~~~
AdmiralAsshat
Is...that...safe?

I'm all for the a DIY solution, but considering how much of a pickle I'd be in
if all of my 2FA tokens were inaccessible, wouldn't the average person want
some kind of case or shielding around the exposed board?

Give me an enclosure like Samsung's metal flash drives[0], and then I'd be
sold.

[0][https://www.amazon.com/Samsung-METAL-Flash-MUF-32BA-
AM/dp/B0...](https://www.amazon.com/Samsung-METAL-Flash-MUF-32BA-
AM/dp/B013CCTM2E/ref=sr_1_1?ie=UTF8&qid=1497289973&sr=8-1&keywords=samsung+flash+drive)

~~~
rbjorklin
The Github page has this to say: "The token should be durable enough to
survive on a key chain for years, even after going through the wash." [0] I'd
guess covering it all with hot glue would provide sufficient protection.

[0]
[https://github.com/conorpp/u2f-zero/](https://github.com/conorpp/u2f-zero/)

~~~
dom0
Hot snot gets icky with time, rather use a conformal coating; they're
available in spray-form as well (e.g. CRC Urethan or Plastik 70). That being
said FR4 is a really tough material and it's quite difficult to pry SMD parts
off.

------
chipz
Slightly out of topic, is it possible to create one with similar function to
yubikey with USB flash drive?

------
chx
For me, the ideal solution would be a cross platform password manager software
which stores your encrypted vault ... somewhere -- I hate the "cloud" word but
let's use it -- and then has a small display which the password manager on
your phone can read and decrypt the vault with it. It's just a few hundred
(thousand at most) bits that you need to carry across, not a big deal. For
desktop / laptop / charging, it needs to be USB pluggable. Physical form
factor approximately like
[https://www.adafruit.com/product/2690](https://www.adafruit.com/product/2690)
this or [http://www.ebay.com/itm/Mini-4GB-LCD-Screen-Display-
MP3-Musi...](http://www.ebay.com/itm/Mini-4GB-LCD-Screen-Display-MP3-Music-
Player-USB-with-FM-Radio-Function-Blue-/190548770930) this.

The problem currently is a) most sites want passwords b) I do not want to mess
with cables c) NFC is not ubiquitous.

------
erik998
Not exactly Yubikey but USB Armory has some close features:

[https://www.crowdsupply.com/inverse-path/usb-
armory](https://www.crowdsupply.com/inverse-path/usb-armory)

The following example security application ideas illustrate the flexibility of
the USB Armory concept:

    
    
        mass storage device with advanced features such as automatic encryption, virus scanning, host authentication and data self-destruct
        OpenSSH client and agent for untrusted hosts (e.g Internet kiosks)
        router for end-to-end VPN tunnelling
        Tor bridge [see this, for example]
        password manager with integrated web server
        electronic wallet [the Electrum Bitcoin wallet works out of the box on the USB Armory. It has been tested with X11 forwarding from Linux as well as Windows hosts.]
        authentication token
        portable penetration testing platform
        low level USB security testing

------
lazylester
I too had poor experience with support and also weak documentation, but I
pushed through it and I'm very happy with the product now that it's integrated
with my app. They seem to practically 'own' the space and I have some
confidence in the longevity of the product.

------
scott00
The Feitian ePass: [https://www.amazon.com/Feitian-ePass-NFC-FIDO-
Security/dp/B0...](https://www.amazon.com/Feitian-ePass-NFC-FIDO-
Security/dp/B01M1R5LRD)

Can't vouch for it (either product or support), but it exists.

------
sirsuki
[http://www.sqrl.pl/](http://www.sqrl.pl/)
[https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

------
weinzierl
Nitrokey (formerly CryptoStick)

[https://www.nitrokey.com](https://www.nitrokey.com)

AFAIK they are used at Mozilla. The Firmware is Open Source. Downside is that
not all their dongles support U2F.

~~~
drdaeman
Actually, none does:
[https://www.nitrokey.com/#comparison](https://www.nitrokey.com/#comparison)

The only dongle to support U2F is currently only available for pre-order, with
ETA in autumn 2017.

------
kdmoyers
There's also this thing [https://www.protectimus.com/protectimus-slim-
mini](https://www.protectimus.com/protectimus-slim-mini) A little different
because it does not plug in, but very convenient. It seems like the usb key
solutions are likely to get left plugged into the port, and so get stolen
along with the laptop. The protectimus idea is to keep the key on you at all
times.

------
markgamache1
Sounds like an opportunity for someone to make consulting money. I have found
their docs lacking, but never tried support. Once I muddled through and
figured out what I needed, I have been very happy.

That said, I have looked for alternatives and found none.

I am most disappointed in the mediocre coverage of their RDP drivers. I need
to use all the features over RDP. Some work and some don't.

~~~
bockafer
Perhaps?

* Do not allow smart card redirection Group Policy object

------
makmanalp
Can some folks also speak to the audit consensus on some of these? It seems
with many of the newer / open source solutions, few of the end products
actually got audited by a competent external security firm / researcher,
right?

------
prohor
I just wonder - if the same key is used for enabling password manager and 2FA
... is it still 2FA? I mean, having the token you get both access to password
and second factor to a service.

------
cmurf
I'm annoyed that Lastpass still doesn't support U2F, and I don't really
understand the delay at this point.

~~~
eekthecat
Their official response is "because not all browsers support it".

It could be a valid business decision (I.e. uneven browser support will
confuse our users and increase costs) but I think they are just using that as
a delay tactic.

------
jvagner
Out of curiosity... is Google Authenticator dead? The iOS app hasn't been
updated in quite a while (Feb 22, 2016).

~~~
Navarr
Does it need an update?

~~~
rthille
I'd love to be able to select the background color of entries and edit the
text at the top of the entry, rather than just the bottom.

~~~
ptman
Try authy or freeotp or any of the other available on f-droid

------
bockafer
I've had good experiences with Yubikeys thus far. I still have two of the
Symantec VIP tokens from years ago that I've never had issues with. I recently
bought a Neo to test out NFC (NFC support on the HTC 10 seems deplorable for
smart card reading btw). I also purchased a few 4c tokens and so far they've
worked great although I haven't been using them for very long.

The gotchas I've encountered while using them on OSX:

    
    
      - The pins for PIV and OpenPGP are separate as these are separate modules on the card.
      - You can't use the PIV or NEO GUI managers and gpg at the same time. You might have to unplug and plug the token
        back in when switching back and forth between GUI/cmdline Yubico tools and gpg.
      - Forgetting to change my environment to use gpg-agent instead of ssh-agent.
      - Typing in my local password instead of the PIV pin when logging into OSX while I have a token with PIV enabled
        plugged in.
    

The "setup" instructions that are referenced in the packaging and on parts of
the site are for basic use of OTP. Real documentation is here:
[https://www.yubico.com/support/knowledge-
base/categories/gui...](https://www.yubico.com/support/knowledge-
base/categories/guides/)

For people asking about backing up material on OpenPGP modules: these are
write only. Generate your material locally with gpg instead of generating them
on the smart card itself and use the keytocard command to copy the keys to the
card. You can backup your keyring prior to moving keys and restore it before
copying keys to each card or ctrl c out of gpg without saving the keyring
references for the material that was moved to the smart card.

I used bits and pieces from a few guides to get the setup I wanted as this was
my first experience with smart cards and advanced use of pgp:

[https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-
yubike...](https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/)

[https://rnorth.org/gpg-and-ssh-with-yubikey-for-mac](https://rnorth.org/gpg-
and-ssh-with-yubikey-for-mac)

[http://suva.sh/posts/gpg-ssh-smartcard-yubikey-
keybase/](http://suva.sh/posts/gpg-ssh-smartcard-yubikey-keybase/)

[https://www.jfry.me/articles/2015/gpg-
smartcard/](https://www.jfry.me/articles/2015/gpg-smartcard/)

[https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-
gui...](https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/)

[https://alexcabal.com/creating-the-perfect-gpg-
keypair/](https://alexcabal.com/creating-the-perfect-gpg-keypair/)

Overview of my process (on an air gapped machine):

    
    
      - Configure gpg.conf.
      - Generate master, subkey, and revocation material on an encrypted USB drive for offline backup of materia
        along with revocation certificates.
      - Backup original .gnupg directory to another folder on the encrypted USB drive. 
      - Copy .gnupg directory to second encrypted USB drive for offsite backup.
      - For each smart card I wanted the same material on:
      -- Change default user and admin pins.
      -- keytocard subkeys for (S)ign, (E)ncrypt, (A)uthenticate (without saving keyring).
      -- Require local touch for all material ( Yubico specific: https://developers.yubico.com/PGP/Card_edit.html ).
      -- move on to next card.
      -- save keyring after running keytocard on the last card so the subkey material no longer exists in the local keyring, only
         references to it (this might not be necessary, I need to test).
      - Generate a copy of the keyring without master key to use on daily machine(s). Might also only need to have the master 
        material minus the key in the keyring as noted above. I haven't tested how 
      - Copy new keyring to another USB drive for transferring to daily machine(s).
      - Configure gpg-agent.conf and gpg.conf on daily machine.
    
    

Resetting the applet if you messed up or want to start fresh:

[https://developers.yubico.com/ykneo-
openpgp/ResetApplet.html](https://developers.yubico.com/ykneo-
openpgp/ResetApplet.html)

[https://www.yubico.com/support/knowledge-
base/categories/art...](https://www.yubico.com/support/knowledge-
base/categories/articles/reset-applet-yubikey/)

------
user5994461
SecurID has been the gold standard for more than a decade.

Not to dismiss YubiKey but companies that can afford 2 factor and take
security seriously already have SecurID for a long time.

~~~
pgeorgi
SecurID is just an expensive TOTP implementation (although a very established
one, as you noted)

That "gold standard" required reissuing 40 millions of devices in 2011 due to
a single server breach. Lockheed-Martin was apparently really, really happy
about it, too.

If that's your desired level of security, just use any TOTP authenticator app
on your smartphone.

~~~
zurn
Smartphones are insecure unless you can control all your users have new Apple
phones.

The problem with many affordable TOTP tokens is clock drift. Are RSA's tokens
better with that?

~~~
pgeorgi
Was there a practical attack on TOTP on smartphones that affected 40M users
and spilled industrial secrets? SecurID managed to hit both of these.

