Best 2FA Devices? Pros and Cons?

I’ve been looking into getting a 2FA device to handle authentication.
Yubico looks to be the most prolific goto for this.
Also there are code generating keyfobs out there which I’ve used in the past and seemed to be decent.

What options do I have out there?
I’d like to eliminate using google authenticator and also elminate 2FA through SMS for the majority of my 2FA items.

I already generate my own GPG sigs for stuff like git and personal file encryption, so I’m comfortable with that if there’s something I can use in that manner.

Why not an OTP app for Android/iOS?

Alternatively, KeePassXC can also do OTPs for most sites.

Because I want something not tied to a phone.

Keepass may be an option for me, but a hardware device is better. I prefer a physical separation of the keys from the device.

I have some YubiKeyS. They’re fine. The YubiKey bio looks promising if you can wait.

It’s somewhat niche, but the Trezor hardware wallet also has U2F and FIDO functionality.

Pro:

• Both the software and the hardware are open source

Con:

• The cryptocurrency storage functionality may make it more expensive than a standalone 2FA device.

I really like this Trezor device. the Trezor one is 45 bucks on Amazon while the latest one is around 150 dollars. the Trezor one is the same price as a Yubico so that’s not terrible.

What is your experience with these? It appears to me they must have some sort of battery in them for the display, and I would be a bit concerned about the longevity due to that as well.

Glad to hear the yubikeys work for you. The bio is off my radar since courts have ruled biometrics aren’t passwords but appreciate your bringing it to my attention!

What is your experience with these?

I own and have used the Trezor One for a while, but mostly for the crypto side of things. I’m interested in setting up the 2FA stuff, but haven’t yet due to laziness.

Hardware wise, I have no complaints. It’s easy enough to use and setup (even on Linux).

Software wise, I have a few gripes, but nothing that’s a dealbreaker. On Linux, the official packages depend on systemd. Most distros have that, and there’s nothing in Trezor’s code that requires it, that’s just what their packages use for now.

I’ve taken a crack at building packages for OpenRC or SysV, but their package build tooling needs love before that can be completed. There are appropriate bugs open for both tasks. The developers are responsive both on official channels and unofficial ones like Reddit, but it’s not been a priority for them yet.

It appears to me they must have some sort of battery

No battery. Pulls all of it’s needed power over USB, and it’s a feature.

Source, Item 5

Ideally, the fingerprint wouldn’t unlock anything without a password (at least nothing important). This would fulfill all 3 of the factors in MFA – you’d need to know the password, have the yubikey and use your fingerprint.

You cannot beat a yubikey. They are the most secure devices out there if you are securing a desktop or laptop.

wow so it looks like the Trezor may be on my list along with the yubico!

I really like that it handles Crypto, that’s a bonus IMO

thanks for this, wasn’t aware of how that worked, I thought the FP was a passcode replacement

Their wallet software is also self-hostable and open source. Should SatoshiLabs ever close up shop, all core functionality remains viable.

The founder of SatoshiLabs is slush, the guy who founded the largest mining pool back before there were mining pools.

The Trezor is a product of nerdy passion; I love it.

that’s awesome, I also love that it ties to systemd since that’s what i run on all my boxes (I know . . . . I know :P)

This should be somewhat in your control, but it’s not out yet, so I can’t say for certain how it will be implemented.

Yeah, I love mine.

I’ve got LUKS set up to accept it’s challenge response to decrypt my laptop. I’m also using it on the forum, and on pretty much every other services that support it.