#yubikeys — Public Fediverse posts

@Nymnympseudonymm

I've got #LibreWolf installed as a #Flatpak.

Was going to reply that, unfortunately, LibreWolf wouldn't work with my #YubiKeys …then it occurred to me:

#Flatseal > Applications > LibreWolf > Device > All devices > ON

LIbreWolf Flatpak now does #FIDO2 on #Linux!

@Nymnympseudonymm

I've got #LibreWolf installed as a #Flatpak.

Was going to reply that, unfortunately, LibreWolf wouldn't work with my #YubiKeys …then it occurred to me:

#Flatseal > Applications > LibreWolf > Device > All devices > ON

LIbreWolf Flatpak now does #FIDO2 on #Linux!

@Nymnympseudonymm

I've got #LibreWolf installed as a #Flatpak.

Was going to reply that, unfortunately, LibreWolf wouldn't work with my #YubiKeys …then it occurred to me:

#Flatseal > Applications > LibreWolf > Device > All devices > ON

LIbreWolf Flatpak now does #FIDO2 on #Linux!

@Nymnympseudonymm

I've got #LibreWolf installed as a #Flatpak.

Was going to reply that, unfortunately, LibreWolf wouldn't work with my #YubiKeys …then it occurred to me:

#Flatseal > Applications > LibreWolf > Device > All devices > ON

LIbreWolf Flatpak now does #FIDO2 on #Linux!

With the existence/acceptance of #PassKeys, is it still worth using physical #Fido keys (aka #YubiKeys) for online accounts?
#poll #security 🗳️

Elon Musk’s X botched its security key switchover, locking users out

https://fed.brid.gy/r/https://techcrunch.com/2025/11/12/elon-musks-x-botched-its-security-key-switchover-locking-users-out/

Elon Musk’s X botched its security key switchover, locking users out

https://web.brid.gy/r/https://techcrunch.com/2025/11/12/elon-musks-x-botched-its-security-key-switchover-locking-users-out/

Elon Musk’s X botched its security key switchover, locking users out

https://web.brid.gy/r/https://techcrunch.com/2025/11/12/elon-musks-x-botched-its-security-key-switchover-locking-users-out/

Leute, wenn ihr für eure Liebsten sinnvolle #Weihnachtsgeschenke sucht, dann überlegt euch, #FIDO2-USB-Tokens zu schenken:
https://karl-voit.at/FIDO2-vs-Passkeys/

Es gibt aktuell keine andere Methode, um sich garantiert #Phishing-geschützt anzumelden. #Passkeys haben leider inzwischen auch ein Einfallstor für Phishing bekommen (siehe entsprechende Sektion im Artikel).

#Yubikey als Produkt kann ich nicht mehr voll und ganz empfehlen: siehe FAQs.

#publicvoit #Sicherheit #security #Geschenkidee #Geschenkideen #Geschenke #Yubikeys

#Ubuntu24 verweigerte heute nach einem Reboot die Nutzung meines #Yubikeys.
Ich konnte mich als mit #pkcs11 nicht mehr an meinen Servern per ssh anmelden.

Eine hängengebliebene Filesystem-Action eines Remote-Filesystems verhinderte offenbar, dass Linux meinen Laptop nicht schlafen schicken konnte... Totem ließ sich nicht beenden vom Kernel... aber das ist eine andere Geschichte. Jedenfalls schaltete sich mein Laptop nicht ab bis der Akku leer war.

In einem Anfall seniler Bettflucht hab ich meinen Laptop hergenommen und wollte checken, warum Friendica nur mehr blurred Vorschaubilder anzeigt (Spoiler, das Debuglog eines anderen Services füllte mir die Platte an...) und mein ssh-agent verweigerte das Hinzufügen des Yubikeys. Standhaft.

Ein Blick ins Journal ergab dann folgende Seltsamkeit:

Sep 12 04:34:02 AET-1931 pcscd[24807]: 99999999 auth.c:143:IsClientAuthorized() Process 36310 (user: 2000) is NOT authorized for action: access_pcsc
Sep 12 04:34:02 AET-1931 pcscd[24807]: 00000197 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client

Ein Restart von pcscd brachte keine Erlösung.
Ein Reboot übrigens auch nicht.

Also weitersuchen. Aufgrund der Recherchen einmal

opensc-tool --list-readers
No smart card readers found.

Shice... und was sagt gpg?

gpg --card-status
gpg: selecting card failed: Kein passendes Gerät gefunden
gpg: OpenPGP Karte ist nicht vorhanden: Kein passendes Gerät gefunden

Das Journal dazu befragt... scdaemon erkennt meine Smartcards, aber pcscd verweigert meinem User den Zugriff.

Also mal als Root... ja, da liefert opensc-tool meine Smartcards.

Dann eine noch seltsamere Erkenntnis...
In tmux ausgeführt, verweigert pcscd die Abfrage mit opensc-tool, in der normalen Bash gibts aber ein Ergebnis... meine Token sind da.

Dann hab ich meinen SafeNet eToken ausprobiert... der ließ sich wunderbar zum ssh-agent hinzufügen... gut, der nutzt aber auch den scdaemon bzw. pcscd nicht (extra Ausnahme in der Config).

Schließlich wurde ich auf bugs.debian.org/cgi-bin/bugrep… fündig. Offenbar wurden bei Polkit Rules entfernt, die es Usern erlauben, pcscd/Smartcards zu nutzen... am 8. September beim Update wurde /usr/share/polkit-1/rules.d/sssd-pcsc.rules so geändert, dass die Rule nur mehr für Root zieht. Da wurde das File zumindest aktualisert.
Und heut erst wurde die Änderung durch den Zwangsreboot schlagend...

Die Lösung war auf jeden Fall folgende:
Ich hab ein File /etc/polkit-1/rules.d/40-allow-pcscd.rules

# cat 40-allow-pcscd.rules 
polkit.addRule(function(action, subject) {
    if (
        subject.isInGroup("plugdev")
        && (
            action.id === "org.debian.pcsc-lite.access_pcsc"
            || action.id === "org.debian.pcsc-lite.access_card"
        )
    ) {
        return polkit.Result.YES;
    }

    return polkit.Result.NOT_HANDLED;
});

Aber warum gpg am Yubikey nicht mehr funktioniert... bleibt mir auch ein Rätsel.

Saw some post about migrating #authenticator apps... and I realised I never used Google app for example. Because when I started configuring #2FA, I already had #Yubikeys :blobcatpeek2:

So I naturally downloaded their Yubico Authenticator to use something I could use, without even thinking. And this was/is my first #OTP app I ever used.
I tried FreeOTP or something similar when it was recommended for some work thing in previous job, but never had a chance to really "feel" that because I changed jobs shortly after.
And now I thought for the first time that my only experience with OTP is when codes aren't device-locked... :blobcatgiggle:
And for me it's absolutely natural state, as things should be.

#Yubikey

Oh, look, another thrilling blog post about creating your own offline PKI system with 3 #YubiKeys and a computer that can barely run Tetris! 😂 Because nothing screams "fun weekend project" like locking yourself in an air-gapped bunker just to feel marginally more secure while the rest of us enjoy the cloud, amirite? ☁️🔒
https://vincent.bernat.ch/en/blog/2025-offline-pki-yubikeys #offlinePKI #security #humor #weekendproject #airgapped #HackerNews #ngated

Ok, I'm going to fully admit I'm not entirely sure how to use #YubicoAuthenticator amongst multiple #YubiKeys vs, say, #Authy or #GoogleAuthenticator after a year+ of off/on looking to try it out.

Do I need to store the #TOTP seeds on every #YubiKey I own? And they all take up a slot? If so, I'm glad for most high value ones, I've been saving encrypted copies of the initial secret key in my password manager. Is that the way it works, all stored in the keys, and not some DB on each device?

#YubiKeys Are a #Security Gold Standard—but They Can Be Cloned

Security researchers have discovered a #cryptographic flaw that leaves the #YubiKey 5 vulnerable to attack.
#privacy

https://www.wired.com/story/yubikey-vulnerability-cloning/

According to #Yubico, it took six months for a firmware vulnerability that allows cloning of #YubiKeys using #EllipticCurveCryptography to be resolved and responsibly revealed to the public. That's not the problem.

The real problem is there will always be another unpatched vulnerability just around the corner. That's why we need new ways of framing what #cybersecurity should look like in today's modern enterprise. Old-school #defenseindepth still has a place, but businesses must find new ways to reduce the amount of sensitive data that's at risk in a #databreach when all layers of defense are inevitably pierced.

https://www.yubico.com/support/security-advisories/ysa-2024-03/

YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel.

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

#YubiKeys #Security #Tech #News #TechNews #AllThingsTech #SecurityKey

Sembla que han descobert una “vulnerabilitat” a les #Yubikeys, ja que són “clonables”.

#Ciberseguretat #SeguretatDigital #Tecnologia #Autenticació #Privacitat #Hacking #SeguretatInformàtica

Com diu @rysiek, l'atac requereix:

- Obrir físicament la YubiKey
- Accés físic a la YubiKey “mentre s'autentica”
- Equips de laboratori d'electrònica no trivials

... Bàsicament, en tots els escenaris possibles, estàs més segur utilitzant una #YubiKey que no utilitzar-ne cap.

https://mstdn.social/@rysiek/113075472648375180

And this happened... I accidentally left my #yubikey (this one on dogtag chain I always had on me) in friend's house :blobcatsad2:
Now I really feel naked or like I sudenly lost my weapon or my "magic powers". Have to take it back soon because it's very uncomfortable even if technically I have enough backup configurations to use other #yubikeys to access my things (all my devices/accounts are strongly dependent on yubikeys so I made good backups from the beginning).

#amulet #talisman #MagicalThinking

Short cautionary story

I wanted to synchronize #OTP on my all #yubikeys - now five because of circumstances, I wanted to have every one replaceable with each other and don't wonder which one I must use.
For people not familiar with them, OTP codes are stored on #yubikey itself, apps are interfaces to interact with it. So they could be used on any device with any version of #YubicoAuthenticator app. I mostly use terminal version on my Linux desktop. And during new account/credential creation user usually writes all in one command, together with seed code.

It was some time since I created something, so I tried to check correct command syntax in #shell #history. And suddenly I realized I have all seed codes stored in history, ready to reuse.

For me it was convenient then, I didn't have to register in all services again, simply copy-paste old commands for new keys. But everyone could see how it could be terrible for #security :blobcat_ohnoes:​

Everyone with access to my laptop and terminal could also use them. Of course I use #LUKS so my shell history (or other data on my laptop) isn't easily available :blobCat_evil:​

So, be careful what you could have in shell history.
And use full disk #encryption everywhere, just in case, you could forget many small things in various places!

#privacy #2fa #Linux

Recently added quite a few finger-sized gadgets!
- Kingston DataTraveler Exodia 64GB
- Orico USB-C female to USB-A male
- PortaPow Data Blocker Pure - Prevents juice jacking
- Sandisk Ultra Luxe 64GB
- Kingston Ironkey Locker+ 50 32GB
- Yubico Security Key USB C NFC

Really happy with the performance of each product so far.

#usbflashdrive #KingstonIronkeyLocker50 #IronKey #yubico #yubikeys #Orico #portapow #juicejacking #sandisk #flashdrives #securitykeys #datablocker #usbcondom #newtoys

@frank @keno3003 Du meinst Resident Keys: https://duo.com/labs/tech-notes/resident-keys-and-the-future-of-webauthn-fido2

AFAIK brauchst du die nur für #Passkeys aber nicht für Standard #FIDO2. Mein #Solokeys hat 50 slots für Resident Keys, manche #Yubikeys nur 25.

Du kannst aber unendlich viele FIDO2 Services mit einem Token betreiben. Noch ein Vorteil von FIDO2 HW-Token.

HTH

So apparently, according to Yubico's CS, they accidentally placed a "normal", no-barcode Security Key into an "Enterprise Edition" packaging and told me not worry about it. They advised me to reset the key with ykman if I was still worried.

#yubikey #yubikeys #yubico #OnlineSecurity #CyberSecurity #hardwarekey #securitykeys #fido2

For actually using the hardware key on macOS login (not Apple ID), you need the more expensive @yubico 5 series keys as they support PIV. So don't buy the wrong key! If in doubt, and budget allows, get the 5 series.

And another common service to use 2fa hardware keys is @bitwarden. You need Bitwarden Premium to use it, not the free tier.

#2fa #2FAkey #yubikey #yubikeys #yubico #OnlineSecurity #macos #hardwarekey #bitwarden

For those who want to use hardware security keys to secure your Apple ID, make sure you fulfil these requirements: all your devices need to support iOS 16.3, iPadOS 16.3, macOS Ventura 13.2, or later. They also ask you to register at least two hardware keys when you activate hardware security keys on your Apple ID.

https://support.apple.com/HT213154

#fido2 #FIDO2Protocol #2fa #2FAkey #yubikey #yubikeys #yubico #OnlineSecurity #appleid #hardwarekey

Gonna be buying 2 hardware keys to up my online security game. Chose the @yubico more budget friendly, Security Key series—one USB-C, one USB-A. I also just read that Firefox 114 (June 2023) on macOS and AWS now supports FIDO2. Hope the setup is smooth sailing! Been wanting to use a hardware key for ages...

https://www.yubico.com/blog/amazon-web-services-aws-announces-support-for-fido2-security-keys-in-aws-govcloud-iam-policy-improvements/

https://www.yubico.com/blog/firefox-support-for-fido2-authenticators-is-here/

#fido2 #FIDO2Protocol #2fa #2FAkey #yubikey #yubikeys #yubico #OnlineSecurity #firefox #macos

Poll (select all that applies)

"How Hype Will Turn Your Security Key Into Junk"

https://fy.blackhats.net.au/blog/2023-02-02-how-hype-will-turn-your-security-key-into-junk/

#security #authentication #passkeys #webauthn #yubikeys #hardwarekey