
Ask HN: Should I get a U2F key? - adamwoodetc
So this latest round of reported big-scale phishing attacks has me looking around again at physical U2F tools, and I&#x27;m looking for a bit of advice on the pros &amp; cons.<p>I have a password manager and use randomly generated unique passwords for all my logins; I have 2FA turned on (via SMS or code generator) wherever it&#x27;s available. But I&#x27;ve seen a couple of pieces (not least of all the guide Maciej Ceglowski just published) suggesting this isn&#x27;t bulletproof. I&#x27;ve also seen other pieces saying that a sign-in setup including a physical component isn&#x27;t worth it if you still have to access the account from mobile etc.<p>Any and all input appreciated. Thanks.
======
idlewords
The big advantage of a U2F key over other forms of 2FA is that it gives you
stronger protection against phishing. Phishing attacks that would give me
control of your email with other forms of 2FA don't work if you use a security
key.

Unfortunately, phones still don't support a physical security key. But you can
still use the authenticator app there. On your laptop, U2F is a big step up.

Whatever you decide, you should not use SMS as your second factor. U2F keys,
TOTP (the authenticator app) and push notifications are all significantly
safer.

~~~
adamwoodetc
Thanks, this is the spine of Ceglowski's argument also and I'm pretty much
persuaded by it. I was just curious whether there were any significant
downsides, but it appears that there aren't really.

Thanks for your time.

~~~
chrisked
If I'm not mistaken the author himself just replied to your question. It's him
;-)

~~~
idlewords
It's one of my many sock puppets!

~~~
adamwoodetc
Whoa. Never mind systems that ensure it's me using my account, it sounds like
I need a system to tell me how many of the people I'm conversing with are the
people I'm conversing about.

Sorry for the confusion @idlewords. (For the record I'm not ruling out the
possibility that @chrisked is also you Maciej. Fool me once...)

~~~
idlewords
I'm actually the only person on this site.

