buy Yubikey

[jujube]

where do u guys buy your yubikeys from?

ship from the official website to be safe or can buy locally?

 

[ColdPalace321]

Is bukeyi one.

 

[DulanMax]

Moi company gave me

 

[kangzhengxing]

if TS dun mind, can get from carousell

 

[jujube]

if TS dun mind, can get from carousell

might be tampered with, no?

 

[stupidog]

kinda risky if you lose the key...

 

[firesong]

where do u guys buy your yubikeys from?

ship from the official website to be safe or can buy locally?

I decided against Yubikey cos the price is just prohibitive.

IF you use Google's Advanced Protection Program, you need two keys.

Since FIDO2 Webauthn is a standard and is now more widely recognised, I went with the Feitian K40 NFC/USB-C on Amazon. Got them for under $30 each when I bought them, with free shipping since I'm a Prime member. If you prefer USB-A with NFC, there's the K8. Works extremely well - tested them across multiple devices: the iPhone (7, 8, XS, 11) , Pixel 4a, Samsung Note 9, S20+, Lenovo laptops, MacBook Pro.

No real reason to buy Yubikey now. The local price of one Yubikey 5 NFC or 5C NFC, I could buy 3 Feitian K40s. And I found out that Google's Titan keys are now made by Feitian, so it's essentially trustworthy enough.

 

[firesong]

might be tampered with, no?

Yeah. That's my worry also. Or that the key is still tied to someone else's account.

There's a local seller on Lazada, but I read reviews - it comes unsealed (bad idea in general). We have no way of knowing if it was ever used before.

Do note that not everything works with FIDO2, so you need to check.

If your enterprise application does not follow the FIDO2 standard and must use anything proprietary with Yubikey (because it is built on their proprietary APIs), then you might be out of luck. Still, check with enterprise if you could use a Google Titan Key or a Solokey - if those are acceptable alternatives, the Feitian or Thetis will be fine, since all the alternatives are adoping the FIDO2 U2F/Webauthn standard.

If it's for personal use, go with the NFC models since it helps you to log in on your phone.

 

[firesong]

kinda risky if you lose the key...

It's okay if you stored the backup codes.

Also, in general, most people advocate using at least 2 keys, one main and (at least) one backup. If you lose one of them, buy a replacement.

Don't keep them both in the same place so you don't lose both at the same time.

 

[jujube]

I decided against Yubikey cos the price is just prohibitive.

IF you use Google's Advanced Protection Program, you need two keys.

Since FIDO2 Webauthn is a standard and is now more widely recognised, I went with the Feitian K40 NFC/USB-C on Amazon. Got them for under $30 each when I bought them, with free shipping since I'm a Prime member. If you prefer USB-A with NFC, there's the K8. Works extremely well - tested them across multiple devices: the iPhone (7, 8, XS, 11) , Pixel 4a, Samsung Note 9, S20+, Lenovo laptops, MacBook Pro.

No real reason to buy Yubikey now. The local price of one Yubikey 5 NFC or 5C NFC, I could buy 3 Feitian K40s. And I found out that Google's Titan keys are now made by Feitian, so it's essentially trustworthy enough.

thanks for this. i'll look into whether it is ok for the services i use such as 1password and crypto exchanges etc

 

[firesong]

thanks for this. i'll look into whether it is ok for the services i use such as 1password and crypto exchanges etc

It works with 1password.

https://support.1password.com/security-key/
Not sure about your crypto sites. Just check the standards. The good companies adopt the open published standard rather than stick to proprietary, so it makes it easier all around. Also, note that U2F and Webauthn are better and more reliable than the OTP-type authenticators. If they use OTP type, then stick to Yubikey because of their TOTP support. The others usually support HOTP, so any accidental pressing of the button will generate one limited key, and you need to reset/realign the HOTP counter when it moves off too far - it's unnecessary hassle.

My main key is on my keyring, so the button is always accidentally pressed.

And do buy at least 2 keys so you have at least one backup.

 

[jujube]

It works with 1password.

https://support.1password.com/security-key/
Not sure about your crypto sites. Just check the standards. The good companies adopt the open published standard rather than stick to proprietary, so it makes it easier all around. Also, note that U2F and Webauthn are better and more reliable than the OTP-type authenticators. If they use OTP type, then stick to Yubikey.

And do buy at least 2 keys so you have at least one backup.

appreciate it. yeah i know have to buy 2 and 2 x yubikeys will really be ex

 

[orpisia]

wth is it...

 

[theAnonymous]

where do u guys buy your yubikeys from?

ship from the official website to be safe or can buy locally?

pls lah, if u wanna buy, buy direct from yubico website lah.

myself, i buy yubikey5, yubihsm2 directly.

dun kum and buy these types of devices from 3rd party.

 

[firesong]

appreciate it. yeah i know have to buy 2 and 2 x yubikeys will really be ex

Added some info about the OTP standards - in general, TOTP is less hassle than HOTP for a key that might be accidentally pressed.

TOTP is time based, so it's generally okay cos you can use the key within the time window.

HOTP is counter based, so if you accidentally press the key, the counter will increment. Once it goes off too far, you need to reset the counter in the app/website. This is extra hassle.

In general, it's comparable. But because i keep my key in my pocket, the chances of accidentally touching the button is very high.

My spare key is kept at home in a locked drawer.

 

[firesong]

pls lah, if u wanna buy, buy direct from yubico website lah.

myself, i buy yubikey5, yubihsm2 directly.

dun kum and buy these type of devices from 3rd party.

I'm sure Google is a trusted brand too. It's also adopted by the US DoD IIRC.

If 3 years ago, I'll still advise people to go with Yubikey. Now, with the advancement and wider adoption of Webauthn as a published standard, Yubikey's advantage is lost imo.

In general, to gain widespread adoption, going by standards is a good way to do it. And FIDO2, U2F and Webauthn are standards.

Yubikey has the advantage in their ecosystem that generates TOTP and their own proprietary APIs that some apps use, but that's about it.

 

[theAnonymous]

I'm sure Google is a trusted brand too. It's also adopted by the US DoD IIRC.

If 3 years ago, I'll still advise people to go with Yubikey. Now, with the advancement and wider adoption of Webauthn as a published standard, Yubikey's advantage is lost imo.

In general, to gain widespread adoption, going by standards is a good way to do it. And FIDO2, U2F and Webauthn are standards.

Yubikey has the advantage in their ecosystem that generates TOTP and their own proprietary APIs that some apps use, but that's about it.

many years ago using google auth is already the standard. different security concerns need different things. for those ppl that want convenience and too cheapskate to buy devices, app TOTP is fine. more important stuff, yubikey and equivalent is better.

app-based is inherently not as trustworthy because stewpig ppl will anyhow install app and root phone.

 

[firesong]

many years ago using google auth is already the standard. different security concerns need different things. for those ppl that want convenience and too cheapskate to buy devices, app TOTP is fine. more important stuff, yubikey and equivalent is better.

app-based is inherently not as trustworthy because stewpig ppl will anyhow install app and root phone.

The keys I recommended are hardware based, not app based. Solokeys ran at least 2 crowdfunding campaigns for their keys too, and gained quite a reputation there.

Yubikey's OTP is using their proprietary app to generate the TOTP keys.

I secure my accounts fine with my Feitian keys. I have friends who use Thecus, Titan, and Solokeys. We don't have issues. The only thing we need to look out for is the support for FIDO2 + Webauthn/U2F and it's all good.

The Titan Keys by Google was first made by Yubikeys many years ago (since 2012 iirc), but was switched to Feitian in 2018. That's when I noticed this brand. I still watched for 2y before committing to buying 2 Feitian keys for myself.
https://www.cnbc.com/2018/08/30/google-titan-made-by-chinese-company-feitian.html

 

[firesong]

wth is it...

Hardware security keys for securing accounts, which are much safer than app/email/sms based OTPs. This is for greater security since it uses the "what you have" portion of security to protect your accounts.

They adhere to established web standards in order to do so.
https://fidoalliance.org/fido2/
Here's a list of officially certified hardware:
https://fidoalliance.org/certification/fido-certified-products/
A list of sites that benefit from hardware keys on the standard (ie, not only Yubikey)
https://www.dongleauth.info/

---

To increase security, you should use at least 2 out of 3 things: What you know (password), What you have (some hardware), What you are (Biometrics) to log in.

1. The password is easy. We all understand this.
2. Currently, SMS or email OTP attempts to use the "What you have" to provide for the second level of security in 2FA. The problem is, both email and SMS can and have successfully been hacked. Hence the market opened up for dedicated hardware devices in the form of USB/NFC security keys, a device that has a unique hash stored on it that won't change. Simply, once you key in your password, you need to tap (NFC) or insert the device into the USB port and press a button to authenticate the second level.
3. Biometric is also quite easy to understand. On the Mac and Windows, you have fingerprint readers. On Windows, you also have Windows Hello using the IR camera to attempt to add this feature.

For more reading, https://brainstation.io/cybersecurity/two-factor-auth

HTH.

Edit: To add, you may notice Google also using the "What you have" differently - when you log into gmail, you now have the option of setting your phone to authenticate the login process - you have a prompt come up on your phone where you have to verify, or tap on a number to complete the login process. So those without the hardware device (in this case, your phone) cannot log in to your account. DBS bank/Citibank credit cards also use this method to authenticate online purchases - you have to tap "Approve" on a popup within the app on your phone. Singpass requires you scan a QR code using your phone and authenticating that with a PIN/Biometrics (fingerprint or FaceID). So this fulfils the "What you have" portion too.

There are other layers of security that could be relevant. There's also "Where you are" (location) that some are used, so if you set this to "Singapore only" for an account, anyone trying to hack you from Russia or US will not be able to log in (although they could VPN in and successfully bypass this). Hence, hardware security keys remain the current strongest one.

The biggest caveat is, not every site supports hardware keys. Thankfully, many password managers do, along with many popular sites like Google, Facebook, Microsoft Accounts, Github, Dropbox, Amazon, etc.. Stuff where your data integrity matters. The great irony? Banks do not support this, preferring to use the less secure SMS 2FA even though it's been proven to be quite easily hijacked if the hacker really wants access to your account.

 

[firesong]

Here's a risk-free thought for @jujube.

Buy from Amazon.sg (make sure it's fulfilled by Amazon). If it doesn't work, you have the option to return the hardware for a refund under 'I changed my mind".
https://www.amazon.sg/gp/help/customer/display.html?nodeId=201819200