Update the 2FA page

[TommyTran732]

No description provided.

[opheron]

@TommyTran732 Hey, just a heads up I recently submitted PR #861 which also makes significant changes the 2FA article.

[dngray]

Feedback on the MFA article, would be don't make it too verbose or complex, as it is an entry article.

[TommyTran732]

Feedback on the MFA article, would be don't make it too verbose or complex, as it is an entry article.

Do you wanna split it into 2 pages then?

[TommyTran732]

IMO just recommending the Nitrokey and Yubikey and pretending that they are equal is not enough. The Nitrokey has the perk of integration with Heads and a built in password manager, but everything else it does is a lot worse than the Yubikey. Likewise, recommending hardware security keys over authenticator app or vice versa is not great either. It depends heavily on which exact protocol is being used and how the secrets are stored. Yubico OTP has worse privacy properties than TOTP for example, while FIDO2/U2F is superior to all of the other protocols. In general, storing TOTP secrets in hardware security key is preferable to using an app, but then the Nitrokey (which is recommended/mentioned on the page) doesn't encrypt those secrets, making it vulnerable to physical attacks and is a questionable recommendation at best.

I think the pros and cons of the protocols and the specific hardware keys should be made very clear, as they are crucial for doing threat modeling.

[realguyman]

It should be noted that TOTP-based authentication is still vulnerable to phishing attacks.

And it should be noted that hardware security keys and services which adopt FIDO2/U2F are not vulnerable to phishing attacks.

[realguyman]

If someone is going to purchase a hardware security key, it should be for FIDO2/U2F support.

Aegis Authenticator and other similar applications are secure enough for TOTP-based multi-factor authentication.

[TommyTran732]

If someone is going to purchase a hardware security key, it should be for FIDO2/U2F support.

Aegis Authenticator and other similar applications are secure enough for TOTP-based multi-factor authentication.

Depends. Yes, that is the most common use case, but it is not always applicable.
Take the Nitrokey storage 2 for example. It is an okay PGP smartcard, it has system integrity verification integration with heads (this is unique to Nitrokeys), and encrypted password storage. It stores HOTP and TOTP secrets as well, tho they are not encrypted.

For certain use cases, it is okay as a hardware security key despite of the fact that it does not support FIDO2/U2F.

[netlify]

✅ Deploy Preview for privacyguides ready!

Name	Link
🔨 Latest commit	e64a873
🔍 Latest deploy log	https://app.netlify.com/sites/privacyguides/deploys/6252e5e871d84d0009cf1c30
😎 Deploy Preview	https://deploy-preview-862--privacyguides.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[jonaharagon]

These images could be improved.

[privacyguides-bot]

This pull request has been mentioned on Privacy Guides. There might be relevant details there:

https://discuss.privacyguides.net/t/solokey-hardware-security-key/11585/1