Wednesday, April 10, 2019

Things I learned when setting up hardware keys for Google accounts

Here are some items that are potentially useful to know when setting up a hardware key (i.e. Yubikey) for online security.

1.  Yubikey is grossly overpriced.  HyperFIDO has fully compatible keys at a quarter of the cost, and they even protect the USB plug contacts - something Yubikey does not do.

(Why most key makers choose designs that expose the USB contacts, I will never understand.)

They also have a mini version.  Reviews say it is not as well built, but at this price, you can afford to buy spares.  Plus it comes with a cap to keep grunge out of the USB plug.

Unfortunately, they don't have a Bluetooth / NFC version.  For that you should consider a Feitian at half the cost of a Yubikey.

[Update]:  I have noticed that some services work with Yubikeys, but don't work with other FIDO-compatible keys.  This is a problem on their end.  I've had good luck with companies fixing their issues once I point them out.

2.  You can't use Firefox for setup.  You can use Firefox for ongoing use, but to set up, you must use Google Chrome.

3.  With Google, you can add many keys.  I was able to add five to my Google account.  If there is a limit, I've not found it yet. 

This is most excellent since you can have multiple keys for difference purposes (desktop, laptop, travel) plus pre-registered backups stored in a safe place for when you lose/break your primary key(s).

4.  You still need your passwords.  Hardware keys supplement passwords, but - currently and somewhat oddly - do not replace them.

5.  Phone/text verification is fairly secure, but not as secure.  After you enroll your keys, you should consider removing your mobile as an option for 2-step verification.

As far as I know - and I've not yet tested - for ordinary two-factor authentication, you can use a physical key for your desktop, but you do not absolutely need one for your mobile.  I intend to find out as soon as I can.

If, however, you enroll in the Google Advanced Protection program, you (apparently) must have at least one key for your mobile.  This usually means a Bluetooth or NFC key, though USB-C keys are also available.

[Update]:  I've only been asked to use my mobile (NFC) key a couple of times.  Usually when I'm off my WiFi network and signing in to some new service.

Other notes:

- Adding and removing keys is a snap.

-  The LED light on the Mini is fairly bright.  There is an LED on the Titanium also, but it is not obtrusive.

No comments:

Post a Comment