Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The FIDO2 two factor auth portion is pretty seamless. It’s plug into USB port when the two factor prompt comes up, it will light up, touch the button, and good to go.

Everything else - good luck. Proprietary apps. Each one is slightly different. I haven’t bothered to use it for key generation. To be fair, there are hardware design constraints (no clear UI) so it would be hard to get around the learning curve.




Okay, sorry if this is obvious. So FIDO is intended for authentication on the web/cloud only (and requires compatibility from both the website/site and the browser to work).

So this is why when talking about using hardware keys to unlock local stuff, like a PC, or authenticate/decrypt SSH, GPG, bitlocker etc. this all gets so tricky and often needs extra software?


This guide mostly isn't about FIDO. It's about the however many other features a Yubikey carries. One of those fancy pocket knives with sixteen tools is also a bit of a handful to work with, and if you've used one and relied on its specialist tool for cracking walnuts, you may be disappointed by a cheap four way multitool that does not crack walnuts. However, it would be wrong to say "Why are knives so tricky to use?" when it's not really the knife's fault.


I’m by no means an expert in this area (and expect someone here could speak to it better than I can), but the Yubikeys have a lot of capability.

From their website: “Support for WebAuthn, FIDO2, FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response” [1]

So one key can do all of those things. How user friendly it is depends on the service you’re using and how that is configured. Logging into to a google account? Easy. Logging into Windows? Easy-Medium [2]. As more organizations support the tool, it becomes plug and play in a lot of areas (Okta, centrify, etc). Mac is more difficult with opportunity to lock yourself out [5]. Linux is… Linux.

You can set more configurable options in the manager tool. [3]

But it can get as complicated as you want it to with the developer tools [4].

I’ve been following this for years and have had keys, and I think we’re finally to the point where I could recommend it to a semi-technical person. Get 3 - 1 small form factor that stays in your main computer / pc / chromebook, one on your key ring with NFC, and a backup in a fireproof safe. That will stop any account takeover. If a key is lost or stolen, revoke and replace it. That will cover 99% of attack scenarios for the population.

[1] https://www.yubico.com/product/yubikey-5-nfc/

[2] https://www.yubico.com/products/computer-login-tools/

[3] https://www.yubico.com/support/download/yubikey-manager/

[4] https://www.yubico.com/support/download/

[5] https://support.yubico.com/hc/en-us/articles/360016649059-Us...


Sounds like a good option. I've been finding it hard to understand how this all fits together. For example, which of the standards listed above is the mechanism used to unlock a PC or a mac? Which one applies to allowing sudo?

I guess that's the crux of it. I'd prefer to find an open hardware alternative if possible, and not have to trust additional software. I know my use case, but don't know which standards apply and are required to make it happen. Knowing that would allow me to pick an open hardware key that, by meeting those standards, would let me do what I need.

It just seems even ticking those boxes isn't much of a guarantee when so much extra software appears to be needed.

The alternative is to either find:

- the open device with the most active developer community and hope the feature comes

- the device that just meets the most standards (as you suggest, a Yubikey)

If I sound confused it's just because I am.


It’s not easy and there may be a solution out there that I’m not aware of, but yubico met my needs (and Feitan) so I stopped.

The principle I keep in mind here is that the implementation is the weakest part of crypto and has the most room for error. For me personally, it requires too much time and energy to roll my own, especially knowing I’ll likely screw something up. If it was a side project, slightly different, but I want something I can forget about for a year and come back and it just works. In my case, the risk of an overly complicated setup locking me out is higher than any risk from using yubicos hardware and setting things up.

But I would start with getting a key, playing around, and doing what they other commenter suggested.


It's good advice. I got a solo key but found it difficult getting into a useful state for my needs. Might try a Yubi instead. Cheers.


For your "Unlock a PC" need you may be looking for the FIDO optional feature hmac-secret.

e.g. one of the things Microsoft wants to unlock a (potentially offline) Windows 10 PC is hmac-secret and it is not an essential feature of FIDO since you wouldn't need it to e.g. sign in to Google, or GitHub or whatever.

For products built by the community, you should be able to find someone who has tried your scenario (e.g. "Unlock a macOS 12 macBook") and can say it definitely works with the product before you buy one.


That (a feature name) is what I'm talking about. Thanks a lot.

I guess another I noticed was PIV/Smartcard which seems to be kind of long in the tooth and not available on some newer hardware keys. I'm not sure if that's for security reasons and I start to wonder if multi-protocol hardware is more open to a wider array of attacks. But thanks again.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: