
Ask HN: Does anyone use a physical two-factor authentication device? - justadudeama
I am trying to increase the security of my accounts and have enabled MFA on as many of the accounts that I can, using Google Authenticator. I am thinking about getting a key like Yubico instead of having to use Google Auth, is it more secure? Better? Do any of you guys use this?
======
ecesena
A u2f key protects you better from phishing, but unfortunately the number of
sites that support it is very limited. Luckily it includes google and
facebook, so you can harden these two, and use social login where u2f isn't
supported.

As for the security key, you should check the support for your devices, ios is
generally more problematic (keep in mind that even if you have an android
phone, but you have an ipad, you prob need support for ios too). I wrote a
blog post about this a while ago: [https://medium.com/@0x0ece/googles-
advanced-protection-progr...](https://medium.com/@0x0ece/googles-advanced-
protection-program-with-iphone-and-ipad-5f30802885e7)

------
tptacek
The physical U2F key protects you against phishing, which is important, but
that's pretty much it.

------
kasey_junk
I use a yubikey for the few places that support u2f (google, github).

I still use Authenticator for a bunch of places that don’t support u2f.

It likely wouldn’t be worth it if I didn’t also carry the yubikey for ssh
public key.

~~~
justadudeama
I didn't know you could use it as a ssh public key. Thanks.

------
ezekg
I use a Yubikey mostly for convenience (grabbing your phone to login
everywhere gets annoying), but sadly, not a lot of sites actually support U2F.

------
spondyl
I use a Yubikey NEO myself which is nice but not a heap of services support
it.

Probably my favourite feature, which gets very little attention, is that you
can store your MFA tokens on your key. Scanning a Yubikey NEO with the Yubikey
app open will show your keys. Lost your phone? It's fine because you can just
install the app on your new phone and there they are without being tied to a
centralised service.

You can also store your GPG key on it but you're forced to only use 2048 bits
over the highest setting of 4096. All it means is you need to have your key in
to eg; sign commits which is a bit less convenient than reading from disc.

Oh yeah, I use the Windows subsystem for Linux and it doesn't support reading
the Yubikey so it renders GPG signing useless for now. There was an update
recently that increased USB support but I don't think it applies for USB
hardware keys. I haven't tried though.

It's also worth nothing that Google doesn't follow the U2F spec which means
that authenticating with their stuff only works inside Chrome. You can just
fall back to SMS or MFA.

One thing I notice with Github is that if I don't have my Yubikey nearby, the
only other default is MFA but with my tokens on my Yubikey... yeah, you can't
just drop back to SMS so you gotta have it on you (for the first time/new
browser) haha

tl;dr They're cool for "important" accounts ie Github, Google, GPG key storage
is just ok and storing MFA tokens on it is pretty rad

