-
-
Notifications
You must be signed in to change notification settings - Fork 195
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the 2FA page #862
Update the 2FA page #862
Conversation
@TommyTran732 Hey, just a heads up I recently submitted PR #861 which also makes significant changes the 2FA article. |
Feedback on the MFA article, would be don't make it too verbose or complex, as it is an entry article. |
Do you wanna split it into 2 pages then? |
IMO just recommending the Nitrokey and Yubikey and pretending that they are equal is not enough. The Nitrokey has the perk of integration with Heads and a built in password manager, but everything else it does is a lot worse than the Yubikey. Likewise, recommending hardware security keys over authenticator app or vice versa is not great either. It depends heavily on which exact protocol is being used and how the secrets are stored. Yubico OTP has worse privacy properties than TOTP for example, while FIDO2/U2F is superior to all of the other protocols. In general, storing TOTP secrets in hardware security key is preferable to using an app, but then the Nitrokey (which is recommended/mentioned on the page) doesn't encrypt those secrets, making it vulnerable to physical attacks and is a questionable recommendation at best. I think the pros and cons of the protocols and the specific hardware keys should be made very clear, as they are crucial for doing threat modeling. |
It should be noted that TOTP-based authentication is still vulnerable to phishing attacks. And it should be noted that hardware security keys and services which adopt FIDO2/U2F are not vulnerable to phishing attacks. |
If someone is going to purchase a hardware security key, it should be for FIDO2/U2F support. Aegis Authenticator and other similar applications are secure enough for TOTP-based multi-factor authentication. |
Depends. Yes, that is the most common use case, but it is not always applicable. For certain use cases, it is okay as a hardware security key despite of the fact that it does not support FIDO2/U2F. |
✅ Deploy Preview for privacyguides ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
- ![YubiKeys](/assets/img/multi-factor-authentication/yubikey.png){ .twemoji } [YubiKey](https://www.yubico.com/) | ||
- ![Nitrokey](/assets/img/multi-factor-authentication/nitrokey.jpg){ .twemoji } [Nitrokey](https://www.nitrokey.com/) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These images could be improved.
4f3cd00
to
4257cf3
Compare
5c69302
to
1e3582f
Compare
Signed-off-by: Daniel Gray <dng@disroot.org>
This pull request has been mentioned on Privacy Guides. There might be relevant details there: https://discuss.privacyguides.net/t/solokey-hardware-security-key/11585/1 |
No description provided.