The One and the Many

On security keys

I recently purchased two YubiKeys (one as a backup). I chose the YubiKey NEO as I thought it would be useful to have NFC to authenticate on my phone.

I intended to use them for 2FA for things like my Google and GitHub accounts. Security keys are far more secure than phone numbers or secondary email addresses. While I already used TOTP 2FA where that was supported, physical security keys are easier and more secure.

I was disappointed when I went through my accounts to set them up to use the keys. Only two sites I tried supported using them: Google and GitHub. (And GitHub forces you to have TOTP 2FA enabled if you want to use a security key). Twitter supposedly supports U2F as well, but so far when I try to enable it it hangs at a loading screen.

What I've discovered is support for these keys is limited. I'm still happy with the choice to get these keys though. Google and GitHub are two of my most important accounts.

There are other ways to use the keys:

I didn't intend to do any of this, but after I received my keys I decided to look into some of them. In particular using them as SSH keys was attractive.

There are several ways to use it to authenticate with SSH:

All of these apparently involve customisation and hacks. I wasn't keen on any of them.

However this weekend I decided to give it a go. The least hacky looking method appeared to be using GPG as that did not involve code outside normal repositories.

After tearing my hair out for a while I got it working. I wrote a guide about how to do it.

I'm not thrilled with the setup, but I'm going to try using it for a while. In particular I dislike replacing ssh-agent. Also having run two extra daemons (scdaemon and pcscd) seems needlessly complex and increases my attack surface.