r/yubikey

I expected a trade-off between security and usability. It would be more secure, sure, but it would also make things much worse from a usability perspective...

...but here I am, actually preferring to use it. I only need to enter a pin rather than my Bitwarden master password. Yes I know you can set a pin on password managers, but it's not exactly the same as a hardware token.

Color me surprised. I did not expect this outcome.

(sorry I just realised this is missing some context that might confuse some people, a few months ago Bitwarden updated their browser plugin so that you can use your Yubikey now to log in, it's really cool)

Hello,

I am in dire need of assistance with my YubiHSM2.

I'm setting up a two-tier PKI infrastructure, where the RootCA and IssuingCA keys are stored in YubiHSM2. I was able to successfully establish the infrastructure itself, but now I am trying to back up what I have, and it's driving me nuts.

Here's what I'm trying to do:

- open yubihsm shell

- connect using an authentication key with full permissions

- run the following command:

get wrapped 0 [key_id] asymmetric-key [wrap_key_id] 0 C:\Temp\rootca.wrapped 

Result?

Failed to get wrapped object: Wrong permissions for operation

The asymmetric key has the exportable-under-wrap capabilities.

The authentication key I'm opening the session with has all capabilities and delegated capabilities.

I also tried with yubihsm-setup dump, but I also get errors:

Unable to export object authentication-key with ID [id] wrapped under key ID [wrap_key_id]: Wrong permissions for operation.

Can it be a problem with the wrap-key? It was created using the reference command:

generate wrapkey 0 0 wrapkey 1 wrap-data:unwrap-data none aes256-ccm-wrap

With the only difference that I specified all 16 domains.

Also, how can I export the wrap key from the HSM in order to put it into a second HSM? I'm looking at the command reference, but either I am blind, or I can only see the import option...

I will greatly appreciate any help you can give.

Thanks

Wojciech

So I have a keyport pivot and I like it a lot. Keeps my keys compact and great to use my yubikey as a usb device. But when I need to use it as an nfc device with my android phone, I don't know if it is the bar on the side or the metal of my keys, but it breaks all functionality.

I've seen some solutions that effectively print a holster/mold to pop the yubikey in and out of and... that feels like I am all but guaranteeing that somebody posts on the "what is this" board after they find it on a train.

Anyone have any suggestions? I am tentatively fine with buying a new key organizer of a similar style.

We have the nano model on one end of the spectrum, but I figure it would be nice to have a quarter pounder edition that sits firmly on my desk. One solid weighty design with a huge touch surface that wouldn't require my dialling wand - it would allow me to waggle my extremities roughly where it's located in order to authenticate. Think of that palm scanner from Total Recall.

Sure I could tape my existing key to a larger object, or 3D print some sort of base, but I thought a dedicated Chonk Pro Max model would be cool.

I would ask you what you all think, but I just assume you all agree with me.

FIDO2 now works just fine over NFC on Android, including asking for a PIN. It just has you tap the key once, enter the pin, and tap again and hold.

We've been waiting for years to have this, iOS did it years ago, but we finally we got it!

Yay 🥳

How do you setup a yubikey as an authentication method for Android phone login?

It might be the reason for banks and other financial institutions not letting customers use device-bound passkeys.

Hello everyone. I recently remembered about passkeys and the fact that you can store them in Bitwarden. At first, I never used passkeys because I thought they weren’t secure, but it turns out they’re better than passwords.

I’ll be using the following security levels for all my accounts: (the higher the level, the more secure?)

• Yubikey Security Key as 2FA;

• Yubikey + OTP 2FA(Ente Auth), as some services require a backup;

• Only OTP 2FA(Ente Auth);

• Standard 2FA via email or phone number;

• Without 2FA. All my passwords in every account is randomly generated by Bitwarden.

And now I’ve learnt that Passkeys should be used, and that they’re actually better than OTP – they’re hard to enter on phishing sites, also thay are very easy to use, some of them you can use as password and 2fa, and you dont need to open Ente Auth and write a OTP code. And I’m completely confused now. As I understand it, there are two types of passkeys:

Cloud passkeys: these can only be stored in Bitwarden. But sometimes it seems you can also use them on a YubiKey. And here’s another confusion: such passkeys can act as 2FA, or they can completely replace the password and function as 2FA + password. So Yubikey can function as 2fa + password???

Hardware passkeys: Can these only be stored on a YubiKey, like in WebAuthn format? But usually the FIDO2 standard is used??

And every service uses all this differently, with different combinations! I wanted to create folders in Bitwarden for each security combination, but there are too many of them. It’s absurd. What should I do? I’m curious how you all use this? Or is it better to just give up and not use Passkeys at all?

What would make a key more secure?

do yubikeys wear out?

is there anything i need to worry about buying used yubikeys?

i saw 4 yubikeys for sell at local onlinr market for $10. Should i buy it? i have never used anything of physical keys before.

thanks!

Should the Yubico Authenticator show the websites and applications that the YubiKey is configured for?

Does anyone know the cost of windows standalone login license plus yubikey and license only from yubion?

Thank you for your help.

I did know Yubikey do not support pin over NFC in android, but iOS does.
From yesterday I noticed it supports on android too.