Privacy @programming.dev g33z @infosec.pub 12 mo. ago

What are good YubiKey alternatives with NFC and biometrics?

www.yubico.com USB-C YubiKey 5C NFC Two-Factor Security Key | Yubico

Protect yourself from account takeovers with the efficient, multi-protocol YubiKey 5C NFC. Go passwordless with our NFC capable security key today.

Hey everyone,

I am currently using an old(er) HYPERSECU FIDO key, USB-A with a button, and I am looking to

secure my phone as well (NFC) and, if possible
add biometric authentication to the mix.

Are there good alternatives or better: upgrades to the YubiKey which do support NFC as well as biometrics and come with a USB-C?

Thanks for your time 👋

17 comments

No doubt, Nitrokey.

Made In Germany ❤🇩🇪

Fully open source

Anti tempering
- You can also compile your own firmware. Updates are also verifieable
I know yubikey is the biggest in the market and it's always good to have alternates but is there a reason you don't want them?

I thought their security was pretty good and haven't heard of any breaches.
- Maybe their prices
  
  I think I paid 35 for USB-c and nfc... You think that is severely overpriced?
- May be similar issue as mine. Yubico has pretty awful on-device password support, but for MFA it works. With yubico you're better off thinking of per-site passphrases that you keep in memory in addition to their one-click password entry, so it gets memory heavy.
  
  My main thing is my paaword manager is protected by 2fa...maybe not 100%secure granted, but I am not a state level actor and have no major money/property to steal. That's probably why I have no similar issues.
Out of left field, but take a look at Trezor. They specialize in cryptocurrency hardwallets, but by extension, they also offer password/2fa functionality on their devices. No biometrics* that I'm aware of, but PIN protection is mandatory.

Site: https://trezor.io/
- Which one of their products would you recommend specifically?
  
  Either Safe 3 or Model T. Model T is their best option, but very costly. Safe 3 seems to be upgraded Model One for 10$ more.
You didn't mention it in your write up, so it's worth iterating that yubikey does have a bio series, USB-C fingerprint reader :

https://www.yubico.com/products/yubikey-bio-series/ fido2, usb-c, fingerprint

Feitian bio series

https://www.ftsafe.com/products/FIDO/BIO fido2, usb-c, fingerprint, nfc

Honerable mention, no NFC or fingerprint, but the only key has a hardware keypad for your pin. https://onlykey.io/
- The issue with onlykey is the static key placement. Trezor for example randomizes key positions, so even if someone gets the key, they won't be able to guess the PIN based on greasemarks and such.
  
  Also more resistant to over-the-shoulder spying.
  
  The trezor looks cool, but it's a bit bulky to put on a key ring. I wouldn't want to carry it around as my second factor.
  
  The benefit of external factors, like a fingerprint reader, like an external pin input is that a compromised computer doesn't get the something you know.
Nice suggestions, thank you very much, everyone.

So as I see it, there is no jack of all trades here, no device supporting modern encryption standards, having biometrics and NFC support and is best case made in Germany, at the moment. 🤓

I went for a YubiKey last night, I am sure it is good enough. 😅 And thanks again for your suggestions.
- The feitian device I linked up thread is the jack of all trade you out
Hello, You looked at the nitrokeys ?

https://www.nitrokey.com

You've viewed 17 comments.