
Ask HN: (Cheap) U2F Tokens? - dbmueller
What 2 factor authentication tokens are you using?<p>I know about the following (open source ones I think):<p>* u2fzero<p>* solo keys<p>* nitrokey<p>* tomu + the right firmware (which I guess is not really cryptographically secure)<p>I&#x27;d lean towards the solo keys since it&#x27;s open source, and I haven&#x27;t seen any criticisms, but tomu is quite cheaper.
Also, which one support “cloning keys” at the setup phase so as to have a backup of your key?<p>What are your experiences? Recommendations?
======
panpanna
Not really an answer to your question but...

I think the main issue here is to find cryptographic chips in low quantities
and diy-friendly packages. The f2c algorithms themselves are not exactly
rocket science.

~~~
dbmueller
But are cryptographic chips actually needed for 2fa tokens to be useful. A lot
of security risks are already covered by having a physical second factor, no?

~~~
panpanna
I think it's mainly for secure storage and secure RNG people use them.

You can of course claim you need neither.

------
xzcvczx
why would you want to clone keys? the point is when one is stolen or goes
missing then the 2nd key is useless anyway and you would need new keys.

~~~
dbmueller
Well, it could also happen that your first key simply fails or gets broken, in
which case it's easier to just have a backup.

~~~
xzcvczx
well all the keys as stated will not allow you to clone keys, except
potentially the solo key hacker version and the tomu (hacker version if there
is one), as the whole concept behind the 2FA devices is that you can't read
the crypto keys off the device, if you could then a reader/device could grab a
copy of those keys and your 2FA is no longer secure.

~~~
dbmueller
same for u2fzero if it's not locked already, no?

~~~
xzcvczx
probably, however i only know about the solokeys hacker as that is all i own,
and even with that what you would want to do is modify the bootloader to only
update with your own crypto keys that you then keep in secure offline storage.

As far as i can tell there is not documentation on how to do this but the 5min
look i had at it made it look quite easy.

Do the 2fa services you are looking at using allow multiple keys to be
configured per user? if so that would be a much better way to do it than
cloning keys. they would still have their backup but there wouldn't be the
same security issues that are apparent in the process of cloning the keys. If
the computer you used to "clone" the keys had been breached prior to you
cloning the keys then someone could theoretically find all your 2FA keys and
your 2FA would be useless

~~~
dbmueller
Mmh, I don't have any specific service in mind. Concerning cloning, it's not
such an important request, and if people have good reasons to think it's not
worth it, I'm OK with that.

What was your experience with the solo keys, then? I gather they haven't
implemented SSH and GPG key "management" yet: is that right? So for now it's
just U2F it seems.

