From b2251c7b67aaa8369a82c341f9cfdbfd04a7f3da Mon Sep 17 00:00:00 2001 From: redoomed1 Date: Tue, 6 May 2025 16:52:47 -0700 Subject: [PATCH] update: YubiKey 5 with FIDO L2 and Nitrokey OpenPGP warning (#3005) Signed-off-by: Daniel Gray Signed-off-by: Jonah Aragon --- docs/security-keys.md | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/docs/security-keys.md b/docs/security-keys.md index 10566671..c5828d33 100644 --- a/docs/security-keys.md +++ b/docs/security-keys.md @@ -1,7 +1,7 @@ --- title: "Security Keys" -icon: 'material/key-chain' -description: Secure your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +icon: material/key-chain +description: These security keys provide a form of phishing-immune authentication for accounts that support it. cover: multi-factor-authentication.webp --- Protects against the following threat(s): @@ -19,11 +19,11 @@ A physical **security key** adds a very strong layer of protection to your onlin ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" } -The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers. +The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification[^1]. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers. [:octicons-home-16: Homepage](https://yubico.com/products/security-key){ .md-button .md-button--primary } [:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation} +[:octicons-info-16:](https://docs.yubico.com){ .card-link title="Documentation" } @@ -54,23 +54,21 @@ The firmware of Yubico's Security Keys is not updatable. If you want features in ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" } -The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. +The **YubiKey** series from Yubico are among the most popular security keys with FIDO Level 2 Certification[^1]. The YubiKey 5 Series has a wide range of features such as [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), and [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. [:octicons-home-16: Homepage](https://yubico.com/products/yubikey-5-overview){ .md-button .md-button--primary } [:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation} +[:octicons-info-16:](https://docs.yubico.com){ .card-link title="Documentation" } -The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice. - -The YubiKey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [YubiKey 5 **FIPS** series](https://yubico.com/products/yubikey-fips) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction. +The [comparison table](https://yubico.com/store/compare) shows how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series in terms of features and other specifications. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you choose the right security key. YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source. -For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never exposed to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.

Warning

@@ -87,17 +85,17 @@ The firmware of YubiKey is not updatable. If you want features in newer firmware ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" } -**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. +**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2**, or the **Nitrokey Storage 2**. [:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary } [:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } -[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation} +[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title="Documentation" }
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. +The [comparison table](https://nitrokey.com/products/nitrokeys) shows how the different Nitrokey models compare to each other in terms of features and other specifications. The **Nitrokey 3** listed will have a combined feature set. Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download). @@ -113,7 +111,7 @@ While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plug

Warning

-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). +Resetting the OpenPGP interface on a Nitrokey [Pro 2](https://docs.nitrokey.com/nitrokeys/pro/factory-reset) or Nitrokey [Start 2](https://docs.nitrokey.com/nitrokeys/storage/factory-reset) will also make the password database inaccessible.
@@ -123,7 +121,7 @@ Resetting the OpenPGP interface on a Nitrokey will also make the password databa ### Minimum Requirements -- Must use high quality, tamper resistant hardware security modules. +- Must use high-quality, tamper-resistant hardware security modules. - Must support the latest FIDO2 specification. - Must not allow private key extraction. - Devices which cost over $35 must support handling OpenPGP and S/MIME. @@ -132,7 +130,9 @@ Resetting the OpenPGP interface on a Nitrokey will also make the password databa Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. -- Should be available in USB-C form-factor. +- Should be available in USB-C form factor. - Should be available with NFC. - Should support TOTP secret storage. - Should support secure firmware updates. + +[^1]: Some governments or other organizations may require a key with Level 2 certification, but most people do not have to worry about this distinction.