
Ask HN: 2FA hardware? - MTemer
Right now I&#x27;m using Google Authenticator and I manage the services manually on my smartphone.<p>I use 2FA for my e-mail accounts, VPS, games and more. But it feels really silly to have it on my phone. Specially since I use 2FA for my phone e-mail account.<p>Is there any specialized hardware that I could use to replace this setup? Something that is compatible with any service and doesn&#x27;t require a phone or a computer? Like a standalone solution.
======
nikolay
Everybody recommending Yubikey: because this [0], use that [1] instead. Amazon
uses Gemalto [2] for AWS MFA, but I've had bad experience with it, and cannot
recommend it.

[0]:
[https://plus.google.com/+KonstantinRyabitsev/posts/4a7RNxtt7...](https://plus.google.com/+KonstantinRyabitsev/posts/4a7RNxtt7vy)

[1]: [https://www.nitrokey.com/](https://www.nitrokey.com/)

[2]: [http://www.gemalto.com/](http://www.gemalto.com/)

------
realtarget
You could use any kind of hardware token like RSA, Fortinet or many other
manufactors. The usually offer a software version four your desktop as well.
But usually you'll hate this additional piece of crap in your pocket. The
combination of something in your mind (password) and something in your hand
(smartphone) is the optimal setup. If you have a password or fingerprint to
unlock your phone and the token generator app for 2FA it should be enough
security.

------
Relys
I use the [https://www.yubico.com/products/yubikey-hardware/yubikey-
neo...](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/).

------
h4waii
One option might be something like a Pebble. I use mine for H/TOTP codes just
fine =>
[https://github.com/JumpMaster/QuickAuth](https://github.com/JumpMaster/QuickAuth).
It's always with you and works completely offline and outside of any service.

It still requires your phone to add seeds, but they are generated completely
independently once seeded. Just an idea that doesn't require buying
specializes single-task hardware.

------
dpc_pw
Google: Yubico ; the NFC-enabled version has a Google Authenticator-like app
(Yubico Authenticator)

~~~
MTemer
Oh I get it now, I misunderstood what Yubico could be used for. Thank you!

~~~
dpc_pw
It can be used for a lot of things. GPG (even over NFC), U2F, 2FA,

------
emocin
Yeah, we use Yubico yubikey nanos at work for ssh 2fa as well as gmail 2fa.
It's pretty nice.

~~~
MTemer
I always use huge passwords, do you think using an easier to remember ~10
digits password will be secure enough if I use 2FA?

Or there is another attack vector that I'm not aware of?

I imagine if somebody steal my password I would get notified (Gmail) and could
easily switch to a new one, no damage done.

~~~
bdcravens
I think a good password manager + 2fa will be adequate. Make password manager
long but memorable and then make passwords you generate crazy long, like 24
characters or more. That and 2fa all the things.

~~~
MTemer
But if you're using accounts in "public" (like in the office) computers,
aren't you trading an unlikely bruteforce for a single point of failure: your
password manager, who's also in the cloud? Unless you also use 2FA on the
password manager and there's no way for a compromised OS to copy your entire
(unlocked) password manager DB. Oh god, I went too far.

~~~
bdcravens
Most password managers encrypt your contents one-way, and don't offer a
forgot-password feature. Not all are in the cloud (1Password, KeePass, etc),
though they can be cloudified via sync (for instance, use Dropbox or iCloud)
Some support the Yubikey for authentication.

------
mike-cardwell
I use my Pebble Time smart watch. I press one button on my watch and it
instantly displays a list of 2FA codes for a bunch of sites.

