Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not every Yubikey supports the resident keys. All my Yubikey 5 keys have too old firmware, which AFAIK cannot be updated, so this is not a viable solution for lots of people even if they own the hardware. GPG just works, and can be used for many other things while one's at it already.


I agree with you in general, but saying "GPG just works" in a post about a long guide on how to set it up seems iffy.


Not just a little iffy, it's more like "Nope, even if I get this working, this is not something I can recommend supporting for everyone on the team."

For business, it's a better deal to buy new Yubikeys that support FIDO2 then it is to support GPG on Yubikeys.


Absolutely. We're trialling this for our SSH bastion server. The security keys don't need any setup at all, which makes it much easier to handle backups and replacements.


Let me rephrase: GPG is possible to get working, the resident keys are not, regardless of the amount of setup. Though the other comment seems to suggest it might not be the case, so maybe there is hope.


The first revision Yubikey 5’s support resident keys, just not the credential management API, at least that is my understanding.

I had a Yubikey 5 with the first firmware revision and resident keys worked fine.


Do you have any documents on how I can use them in such case?


You should be able to just use a website that uses resident keys (such as Microsoft Passwordless login). I don't think the UI is any different, it's just that the key will actually get stored on the device.

Because the first firmware revision lacks the credential management API, there's no way to list the resident keys on the device or to delete individual keys. The only way to delete resident keys AFAIK is to reset the FIDO2 application on the key.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: