Nicolas wrote: ↑Thu Jan 26, 2023 10:43 pm
ObiQuiet wrote: ↑Thu Jan 26, 2023 7:45 pm
I've found the yubikey to be far more convenient than having to use SMS or a phone app.
Many sites let you register not only more than one yubikey (for backup) but also use the authenticator app on your phone. If you do this, you have more than one recourse if you've lost the key, or left it in a place where you aren't.
You can even duplicate the authenticator app -- a good use for an old cell phone, filed with your secure papers.
But isn’t an authenticator app less secure than Yubikey? If so and you use both then the security of your account is reduced to the weakest link which is not Yubikey.
Yes, it is less secure.
SMS OTP - least secure, least convenient
TOTP - more secure, IMO same level of hassle as SMS (pull out your phone or reach for a token and get a # to type in)
U2F / Yubikey - most secure, and IMO most convenient (if you have one in each computer you use)
I notice that 1password actually has an embedded authenticator app, so you don't need to reach for your phone. Not sure about using that yet, as it seems to remove the "2nd" from "2nd factor".
It's unfortunate that people perceive U2F devices as less convenient.
Even more unfortunate that some institutions still allow fall back to SMS or email OTP, even when you are using something more secure.