@PublicNuisance @Metruzanca I hear you mate. I thought about this a bit, and this is what I came…

@PublicNuisance @Metruzanca I hear you mate. I thought about this a bit, and this is what I came up with:

Syncing over the internet may be just as problematic for security.

Be wary of Yubikey’s, they’re not opensource. While they may provide decent security, there is a (granted, quite a small) possibility they could be compromised. There have been a number of security vulnerabilities identified as well. There’s a non comprehensive list here. Yubi is still a commercial operation with profitability being one of their primary goals.

If you are going to get a key, I would suggest looking into a Solokey – as at least the code is open for audit and is FIDO2 compatible (though it does lack some of the functionality that the Yubikey has). You can even get an unlocked Solokey and compile the code yourself to test.

Finally, if you use a hardware key, make sure to get at least two keys, and register both, so that if you lose one, you always have a backup. I still have not secured my own accounts for this reason. I only have one key (I got it for testing), and wont secure my accounts with FIDO2 until I can get my hands on a second.

My thoughts on the subject of 2FA override codes is similar to my feelings on BEP2 Cryptocurrency Wallet backup codes. If I lose my phone, I could lose my entire crypto portfolio, regardless of how I secure it (biometrics, password, pin, email etc). At least with a backup code, I can write it on a card, stash it in a safe place in a separate location (say a safe deposit box), and know that even if I lose my phone; it gets stolen; my passwords get leaked; my email account gets compromised etc, I can always still recover my assets. But that’s just me 🙂


AnotherKiwiGuy is a lazy ass and is OFFLINE