Try to imagine an answer to somebody having full access to all of your devices and still being able to have a chance at wrangling back control of your online accounts. This device is it.
Here’s why I have two Yubikey NEO devices:
- Availability. All TOTP tokens are initialized on both devices, and any U2F sites get both keys enrolled. I keep one safely stored and the other with me. If I lose one, I can still get into all my accounts to rotate credentials. This is far better than Google Authenticator on my cell phone which is much more likely to be broken or lost, and much less annoying than trying to replicate a similarly backup by printing tokens or trying to store them somewhere online that is both secure and accessible without my two factor device. I can plug my Yubikey into my computer or use NFC on my phone.
- TOTP: If my token isn’t in a computer, you can’t be me. If you didn’t capture my TOTP secret when it was initially created (or steal it from the provider’s server), you can’t copy it from my devices.
- PGP: My latest PGP key was device-generated. Nobody has a copy and you can’t steal it. There’s a device counter that keeps track of how many signature operations have been performed, so if I’m actually that diligent I can detect any unauthorized access to it for signing.
- FIDO U2F: I don’t believe that there’s any better system for 2-factor authentication than this. It goes a very long way to preventing spoofing as well as avoiding shared secrets. It also requires me to touch the device so get an authentication token solely through software.
- SSH access: A spin-off of PGP support, my ssh identity can be run through a PGP agent so nobody can ssh as me without having access to my device.
- Yubikey OTP: If you can’t implement U2F, this may be the next best thing.
- The firmware is fixed, so no Bad USB attacks are likely.
If your access credentials are worthy of a 2nd factor, this is the way to store it. If you can possibly use U2F, do so: not only for your own sake of security, but also for the rest of us by helping to speed adoption. The more people buying U2F devices, the more likely the world is to write code supporting it.
Seriously, this $50 device really is all that and a bag of chips. Other than physically storing my passwords, it supports every method I use to authenticate myself online and it does it more securely than any other method than I’m aware of. If you know of a better device, I’d love to hear about it. If you have an excuse to not buy one, I think it’s probably a poor excuse.