Well, that's something you don't see every day - a still-panelized set of 16 security keys!
I'm told these were part of Google's Titan / Gnubby development process. (Artemis was a daughter of Leto, who was a Titan -- get it?)
I assume they don't have firmware on them yet, but it might be tricky to find out non-invasively.
Security key that's new to me: Thetis Nano-C!
https://thetis.io/products/thetis-nano-c-fido2-security-key-device-passkey-usb-c
Also news to me, I'm clearly behind: FIDO2 has levels:
https://fidoalliance.org/certification/authenticator-certification-levels/
This key is FIDO2 L1, and different applications may require different levels. Notably here, L1 is the minimum to get any certification at all, and you can't get L2 unless you have an actual secure hardware element. So with the device at this level, you get the independence of a separate physical object with a dramatically simpler software surface, but I suspect it might be easier to get secrets right off the key with physical possession.
(Note that this is an organic post, not sponsored in any way. Happened upon it in an eBay listing. I never do solicited or compensated endorsements)
GoDaddy makes you pick which security key you want to be prompted for by default, and only allows this key to be presented unless you follow the "try another way" workflow.
What is the purpose / threat model of this? It seems unnecessarily high friction to me, and as far as I know is not done by any other platform.
Since the last time I logged in fresh, Google has moved "2-step only" (non-passkey) security keys to be the first factor prompted for.
Only after a good key is presented is the user prompted for their password.
You are then prompted to create a passkey "instead", with a "Not now" option.
TIL Proton dropped their maximum supported security keys (some time after mid-August 2024) from 8 to 4 keys?! (Notice the tiny "8 out of 4" label, because I had registered the maximum 8 keys)
I suspect my current config will be stable until I need to explicitly delete a key, in which case I won't be able to add a replacement unless I delete five keys. 😡
@aleidk I replaced “mobile phone account“ with “mobile phone provider account” to be clearer about what I meant.
For banks (in the EU), AFAIK there is a strong reason why they never even mention FIDO2: for a transaction at least, the device where validation is performed must give basic info on the transaction: seller and amount.
Another point: the software support depends on site, browser (e.g., Firefox desktop != Firefox mobile), type of key, physical communication protocol (like USB vs. NFC). I made a lot of tests with various sites and my USB-A and USB-C keys, sometimes using NFC, other times USB. Some combinations don't work, or worked at some point and not later (or worked with Chrome but not Firefox, etc.). This can be quite stressful or even dangerous if this is for an important account and you have no backup plan (⇒ don't). And if the backup options are 1) exploitable in your threat model and 2) not very secure, this obviously reduces or nukes the advantage of using a security key in the first place.
A typical backup option which is not insecure from my POV if well handled is a set of recovery codes, but for this you need to store them very carefully, safely... and not forget how to access them in x years! In these conditions, setting up a new account requires “some work”.
And I say all this despite wishing FIDO2 great success, 'cause SIM swapping attacks in particular are quite scary given how much important stuff still depends on codes sent by SMS. 😐
TIL the maximum number of security keys I can add to my Apple account is ... six. 😢
Say it ain't so, @rmondello !
Royce Williams
Blobster
Abdelkader Boui
Bob Carver