wat is the diff between feitian and yubikey actually? wat made u choose feitian instead of yubikey?
Yubikey is the company that made this kind of keys popular and kickstarted the adoption of this. Over time, they recognised the need for making this kind of 2FA a standard, and so were the original collaborators to define the standard. This is around 2008 or so (I recall first hearing about hardware keys around then since I was still active in the tech industry then)
In 2013, the FIDO alliance was formed to work on the universal standards. And the standards continued to develop and be aligned, Yubikey included. Over time, the standard evolved to FIDO2 + U2F, and then the W3C collaborated and brought Webauthn into the fold. This allowed for technologies like Microsoft Windows Hello to be developed around this standard.
I started to really notice alternative keys when I chanced upon the first Solokeys kickstarter campaign. IIRC, I could have bought a key for $20 or so, but I was concerned about using cheap rubber casings. This was about the time when Webauthn was still not really part of the standard, so it was FIDO2+U2F iirc. Still I waited and stuck to using SMS 2FA since SMS hijacking wasn't so common then. By this time I was already burnt by losing my phone and access to so many accounts.
All through that period, I was using password managers to improve security by having unique passwords for each site, but it was still riskily secured by email, which was secured by SMS 2FA. At the back of my mind, I would occasionally look at security keys but could not justify a $200 expense that had limited mileage.
Eventually, when the
Singtel hijacking incident happened last year and was published in the news, I decided I couldn't rely on SMS anymore. We couldn't even rely on our mobile operators to protect our mobile accounts. With the spate of online accounts being compromised (thanks HIBP!), I figure it's time to jump. This was when I started reading up and doing more intense research, solely out of a desire to protect my online accounts.
Of course, like anyone else, I thought to buy a Yubikey. It's an established brand, and it's got decent mileage. Then I confirmed I had to buy at least 2, since
Google's Advanced Protection Program requires a minimum of two keys - even though I was already advised previously to have a main and a spare so I wouldn't be locked out of my accounts. I also wanted NFC, since it was more convenient to use NFC authentication with phones. Doing my research, I realised the technologies had matured very much, and even Yubikey sign ons were all on the FIDO2+Webauthn or U2F standard, except for some proprietary implementations that used their APIs or required their app TOTP implementation. I took a shot and asked around, and to my surprise one of my friends was using the
Google Titan which he bought while in the USA, and he told me it was based on the Feitian keys. Then another friend told me about the Solokeys Tap, and shared that the NFC worked well, but the rubber skin kept peeling off over time so it was troublesome.
In short, I happened to browse to Amazon one day, saw the Feitian K9 and K40 keys were $29.xx each compared to the $91 5C non-NFC, and decided I'll just buy two and see how it goes. Since then, I've not regretted not going with Yubikeys since it works flawlessly. I've also gotten another friend onboard this security crusade.
Because I know that I'll be keeping the main key on my keyring, it's expected to spoil over time. A $30 replacement is much easier to justify than a $90 equivalent, especially when it's functionally identical for the way I use it. Hence I stuck with standards-compliance. To use an analogy we all can relate to, Apple folks are stuck in the walled garden and pay to stay within it - I did not want to make that mistake with security keys that secure my accounts.
=
So in short, the similarities:
- Full FIDO2 standards compliant
- Webauthn and U2F
The differences:
- Yubikey has better apps (not really necessary from a hardware key POV)
- Yubikey has TOTP rather than HOTP, but this is dependent on the app to generate the TOTP keys.
- Cost was 3x for functional equivalent.
- Yubikey 5C NFC is thinner, but not really a dealbreaker for me.
All the sites and apps I use are secured by FIDO2+Webauthn or FIDO2+U2F. So I don't even bother with the HOTP features or PIV smartcard features. But they are available if I want to turn them on. The Feitian App is REALLY UGLY though.
Of course, the reviews from other buyers helped to convince me to try it also:
