Reddit reviews Yubico Security Key - U2F and FIDO2, USB-A, Two-Factor Authentication

> Google Titan

They suck:

• The Titan hardware is the same as Feitian MultiPass K13 and Feitian ePass NFC bundle
  
  
• The rebranded MultiPass that they're selling sucks, it uses Micro USB which is a weak and outdated connector.
  
  
• The keys are made in China by a Chinese company. If you care about this, then you're better off with Yubico or some open source vendor. I don't have a problem with Feitian though, they've been in this business for a long time.
  
  
• The MultiPass key isn't waterproof and can be popped open. The non BLE versions are sealed using epoxy and really impossible to break, just like a YubiKey. I wouldn't trust a MultiPass key as a backup. See the Amazon reviews for yourself.
  
  
• There's lots of issues with BLE, OSes even had to block pairing with insecure security keys that Google/Feitian was forced to recall.
  
  
• It's another damn device that requires charging.
  
  
• Can only be used for Google Accounts on iOS with the Smart Lock app installed. While YubiKey has made active efforts to support the 5Ci on iOS.
  
  For $50-$70, I'd probably get one of these options as a backup:
  
  
• 50-70$ -1 x YubiKey 5 series, preferably the 5Ci or another 5 NFC.
  
• 60$ - 5 x Feitian HyperFIDO Mini, to hide them in bank lockers/backpacks
  
• 60$ - 3 x Yubico Security Key, because they support FIDO2 for Azure AD/Microsoft Acccounts
  
• 60$ - 1 x Feitian BioPass, since biometrics is more secure than typing a PIN on a software keypad. Wouldn't trust it in an airport though, legally a grey area.
  
  
  I also tried GoTrustID (paid) and Krypton which are app based U2F authenticators with push notifications for verification. They act as a decent wireless software backup that works for all accounts. GoTrustID is BLE based while Krypton uses push notifications.
  
  Google currently doesn't allow using an Android phone as a BLE security key except for Google accounts (uses a proprietary protocol called CaBLE that only works on Chrome Desktop right now).
  
  I've personally found USB-C to be the most robust method on Android phones and newer laptops, it's really quick and easy. Windows 10 doesn't even show me an option to pair a Bluetooth U2F authenticator on 1903, only Chromium browser has implemented it, not the OS itself. With the YubiKey 5Ci, it should be easy to authenticate on literally any device from the last 10 years with minimal dongles, so it will be my first choice as a backup. USB-C is better than NFC for me.

> Mon premier réflexe est d'utiliser des yubikey (je crois que c'est la version 5 qui a fido2, pas besoin de nfc) car c'est les seul que je connaisse... Mais elles sont plus cher que 25$. As-tu d'autre fabricant a conseiller?

Il y a deux séries de Yubikey récentes. Celle à 60$ qui a FIDO2 plus une tonne d'autres trucs et celle à 25$ qui a juste FIDO2 à laquelle je faisais référence. Pour l'instant il n'y a pas de d'autres manufacturier mais FIDO2 a été accepté comme standard par le W3C et le WhatWG donc ce n'est pas une technologie propriétaire. Aussi bien la Yubikey à 25$ qu'à 60$ est compatible NFC.

La clé à 25$ sur Amazon : https://www.amazon.ca/-/fr/Yubico-s%C3%A9curit%C3%A9-Fido2-USB-Prouver/dp/B07BYSB7FK/

Et Yubico vend aussi à rabais des paquets de clés mais je sais pas si c'est le cas au Canada vu qu'on ne peut pas commander directement d'eux et qu'on doit passer par Amazon et compagnie.

Correction: La clé à 25$ ne fait pas NFC, c'est 10$ de plus pour ça.

tl;dr - sorry, no.

People have reported that using 2-step verification can help when traveling or using VPN. Adding a U2F device will remove the dependence on having access to your phone.

2-Step Verification (2SV)

• http://gmailblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html
  
  
• http://www.google.com/landing/2step/ (account settings)
  
  
• https://support.google.com/accounts/answer/185839 (help center)
  
  
• https://support.google.com/accounts/answer/1187538 (make SURE to save backup codes)
  
  Universal 2nd Factor (U2F)
  
  
• http://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-verification-with.html
  
  
• https://support.google.com/accounts/answer/6103523 (help center)
  
  
• U2F Key - https://www.amazon.com/dp/B07BYSB7FK https://www.amazon.com/dp/B07M8YBWQZ/

> Would it still be just as (if not just a little less) secure to put your TOTP's on Bitwarden, and use a separate TOTP for actually logging into Bitwarden stored only on your phone on, say, Aegis Authenticator?

Sure, that would work too. Or using a service such as Duo or something. I think a key (YubiKey) is your best bet for auth into Bitwarden. But the other methods would be fine as well.

One of the things you should consider is the loss of your phone. What happens in that case and make sure you have a way to recover. You could lose your phone, it could become "compromised", or even just break.

Lastly, I would say though that YubiKeys aren't as expensive as you might think. Here is one on Amazon for $20. https://www.amazon.com/Yubico-Security-Key-USB-Authentication/dp/B07BYSB7FK

You can buy your own security key and register it if you really need one. There are plenty on Amazon for around $20, like this. Make sure you don't pay extra for one with NFC if you don't have a phone.

Or have a friend who doesn't want a token/fob give you their free one.

From this site: https://www.yubico.com/works-with-yubikey/catalog/linux/ It looks like the "cheapo" Security key (Amazon Link) would do that, correct? Apart from NFC, what are the other downsides of that one?

Thank you very much for the help, out of interest, do you know if this would do the job: https://www.amazon.co.uk/Yubico-Security-Key-USB-Authentication/dp/B07BYSB7FK/ref=sr_1_5?crid=1D0IU4JKSJBOY&keywords=yubikey&qid=1565700729&refinements=p_76%3A419158031&rnid=419157031&rps=1&s=gateway&sprefix=yubik%2Caps%2C149&sr=8-5 or do you reccomend the more expensive Yubikey 5 + NFC version?