I have always been interested in IT security seen from all perspectives – black, white and gray. Having knowledge about how easy many people out there can get hacked I hence generally try to keep my own systems secured and locked down as much as possible.
The primary way I do this is of course by keeping my systems up to date and to keep all unnecessary services away from my systems. Besides this I keep some very random passwords for all of my systems AND I require at least one hardware security key in order to do anything like root on my machine. This means that you cannot do sudo, su or even just login to the desktop without having one of my hardware keys inserted in the system and actively pressed in at the right time.
What hardware keys to use?
There are many types of hardware keys out there but I generally use three:
The most simple one is the SoloKey Tap, which is a one-button FIDO2 USB stick. The “Tap” part is because it also supports NFC so I can use it with my mobile phone without plugging it in. So what is FIDO2? It is basically the second iteration of the security project defined by the FIDO (Fast ID Online) Alliance and W3 Consortium (W3C). The main goal for the project is to create a system to get authentication online without having to remember a ton of difficult passwords. This is done by a combination of the Web Authentication (WebAuthn) standard and the Client To Authenticator protocol (CTAP). It is similar and based on the FIDO project called Universal 2nd Factor (U2F) which is already widely used by many online services.
- Easy to use
- FIDO2 / U2F support
- Good community
- The Tap edition works with mobile phones via NFC
So why use SoloKey? It is created as a fully open Open Source project so you can audit the code and even contribute. It is not made by a big-time corporation so price is low for what you get. It is secure and does one thing which it does really well. The team behind it is very active and easy to communicate with on e.g. keybase. There is even a subreddit /r/solokeys
Right now the SoloKey team is working on a very cool new project. It is called Somu and is a super-small USB FIDO2 stick that pretty much fits into the fido plug without sticking more than 1mm out of the computer. You can support the work by pre-ordering one (or many) of them via their crowds-uppy campaign (I have already signed up for a few of course!!)
The OnlyKey is a quite advanced device with 6 numbered buttons (touch-areas). It can be used as:
- a U2F/FIDO2 device (like the soloKey)
- A hardware password manager with up to 24 passwords (including usernames)
- Pin protection before it even works
- Possibility to have 2 layers of settings for plausible deniability
- Google TOTP (Timed One Time Password – Like Google authenticator)
- Yubikey authentication (mimics the commercial key protocol)
- SSH authentication
- OpenPGP with Keybase integration
- Self destruct feature (press a special pin key and it will delete everything)
- Encrypted backup of the key (makes it possible to have a cloned backup key)
- auto lock after 30mins of inactivity
- Works in all computer systems as it identifies as a normal usb keyboard
The Only key is really quite advanced but also a bit technical to setup for non-techies. The last year or so it has however become a bit easier to update firmware and setup all the functionality via an application or the chrome browser extension.
You can chain what it should do so if you press eg. the 1 button, then it sends your google username, then sends a “tab” to go to the next input field, then sends the stored password and finally sends an “enter” keypress. That basically means that it can log you fully into a service automatically.
Again this is an opensource project and actually works together on some features with the SoloKey team.
This is the only big-corp security key I have. The company behind it, Yubico are doing a lot of the ground work in the world of security keys but they also by creating their own closed-source proprietary protocols and standards. The great thing about their products is that they do have a lot of integration with company infrastructure like Active Directory etc and hence can be used in big company setups. For small private use setups this is a bit overkill. Since they use their own U2F protocol for most things they kind of have to work with their own software and drivers. They are however one on the biggest on the market and hence also supported by many products. They are also supporting some of the more standard protocols like FIDO2, U2F, Smart card, OpenPGP and OTP.
In recent years Youbico has also started producing opensource code for Linux which also benefits some of the other opensource hardware keys out there. I will, in a later post, tell a bit more about that and how it can be used for locking down your Linux machine and require a hardware key to unlock.
So which one of the 3 types should you choose? Honestly I use all of them almost every day. Today the yubikeys are mostly as backup keys for github and lastpass login, but my OnlyKeys contains my most important passwords, openPGP private key etc. My Solokeys are primarily used as a simple one-click login mechanism for sudo and as login key for my mobile phone.