Reddit Posts
Bitcoin security basics explainer (exchange, LN, HW, security)
Bitcoin security basics explainer (exchange, LN, HW, security)
Mentions
Yubikey 5C NFC has many features and two methods of use: Methods of use: 1. USB (plug it into a PC or device) 2. NFC (tap it to a NFC reader on your smartphone etc) Features: 1. FIDO based authentication (aka "Security Key" or "Passkeys") 2. Static password (Yubikey turns into a keyboard momentarily and will type any password you tell it to (there are limits). Anyone with the Yubikey can access this password by tapping it.) 3. Time based one time codes (the 6 digit codes that rotate every 30 seconds) 4. OpenPGP 5. PIV 6. HSM 4 to 6 are irrelevant to you. Currently the smartphone Yubico Authenticator App can't modify static passwords, so to use this feature you will need a PC or Macbook of some kind. This leaves you with 1 or 3. 3 will be used with the Smartphone App. You swipe down on the screen and it will ask for an NFC tap. Tapping will show all the codes stored in the Yubikey unless you checked the "must tap to show" button when adding the account. To add an account, tap the button in the corner and tap "Add account"... scan the QR code or paste in the secret for the time based 2FA, and it will ask you to tap the NFC. Then it will store the secret on the key. You need to tap the NFC every time a new code is displayed (every 30 seconds) but you will almost always just input the first code you see so it's not needed to tap more than once usually. For 1, you need to register the FIDO key ("Passkey" / "Security Key") with a site. If you would like to use the Yubikey as a "Passkey"... then in the Yubico Authenticator Smartphone app you must open the options menu, and click "Change PIN" under "FIDO"... tap the key, enter the new PIN twice, then tap the key again to set the PIN. This PIN will be needed when you use the Yubikey as a "Passkey". Coinbase can register the Yubikey as a Passkey (ie. only the Yubikey tap + Yubikey PIN is needed to login to Coinbase) or a Security Key (ie. the Security Key tap + your Coinbase password is needed to login)... Each website lets you register the Yubikey in different ways. Explore the various websites and figure it out. You can not use a Yubikey to store crypto keys. Some Crypto wallets might have security key / Passkey based 2nd authentication, but you can't store a crypto wallet's private keys directly on the Yubikey. (Some wallets have a multisig setup where the static private key inside the Yubikey can be used as one of the signers, but this is too advanced for most people).
Yubikey is a FIDO2 security key. Now fido2 does support passwordless logins, but sadly not many platforms do. Most platforms support it as a u2f (universal second factor) or mfa (multiple factor authentication). So you’ll always have to logon using username+password+yubi. Be aware that this creates a risk, if you loose the key you are locked out. You should always have a backup key and enroll that backup key to the platforms.
Thanks for that… I had never heard of FIDO2 before now. Any further recommendations?
That makes for a rather uninteresting internet experience. Following links is fine. It's all the other poor choices that cause issues, like saving passwords in the browser and closing tabs instead of logging out. Not using MFA, etc. I follow shady links all the time, specifically to document the exploit(s) on the other end. The majority rely on the user to have done, or do something they should not. You'd be amazed how many are just a look-alike website that then ask for your login credentials. FIDO2 authenticators fix these problems.
I keep a much larger amount on Binance, but my account is fairly well protected by FIDO2 keys, as is my email. However, I spend every day in my account, as I trade almost daily, so I can notice if something wrong happens. If I drive somewhere and the account is left unattended for a while, I withdraw all the money to my cold wallet beforehand
OFFTOP: Is anyone looking into a FIDO key like this anytime soon? Sadly, they don’t design custom or more decent ones unless I’m missing the point of primary use. This 2-step authentication process should be easier and more convenient IMO. Shop links are so much appreciated in advance.
tldr; A scammer attempted to hijack a Kraken crypto account by wearing a rubber mask of the victim during a video call with a support agent. The attempt failed as the mask was easily identified as fake, and the attacker couldn't provide accurate account details. Kraken's Chief Security Officer, Nick Percoco, highlighted the importance of security measures like two-factor authentication and using FIDO2 passkeys to protect against such scams. He also noted that some exchanges might not have the same security diligence as Kraken. *This summary is auto generated by a bot and not meant to replace reading the original article. As always, DYOR.
tldr; Recent research by Thomas Roche from NinjaLab has identified a vulnerability, named EUCLEAK, in secure devices like electronic passports, Yubikey 5, and hardware wallets such as the Trezor V3. This vulnerability, present for over 14 years, allows attackers to extract private keys from devices using the Infineon SLE78 chip if they have physical access for five minutes and can use the device to generate signatures. The attack requires opening the device and advanced equipment worth about $10,000. The practical impact of this vulnerability varies, with hardware wallets and FIDO 2FA devices like Yubikey being notably affected. The vulnerability also raises concerns about the integrity of secure attestation protocols, potentially allowing attackers to simulate secure devices and undermine systems that rely on device authenticity. This poses a significant risk in scenarios like multi-sig federations and could enable the production of counterfeit devices that bypass authenticity checks. *This summary is auto generated by a bot and not meant to replace reading the original article. As always, DYOR.
Companies have shown off cameras that have such good zoom they can take your fingerprint from 100m away. Biometrics are an easy to steal piece of data, and you can't change it. So they make poor secrets / passwords / logins. To make a secure key you need good quality entropy (randomness) to generate strong un-guessable keys. Biometrics are useful as a way to add a layer of security as a roadbump to access strong keys. E.g. your thumbprint login on your phone or FIDO key.
That’s totally valid. It looks like the smart wallet supports passkeys based on the FIDO2 webauthn standard, so hardware security keys (eg yubikey) and cloud-synced password managers with passkey implementations are both supported. I was able to create a smart wallet with 1Password here: https://wallet.coinbase.com
Thanks! Not sure what FIDO/U2F keys are, but set up 2FA and passkey. Since you are in IT, would you be able to give insights on how they gotten into my email as well?
Yeah you got phished. We deal with this literally all day everyday in my IT dept. Setup 2FA and you won't have to deal with this. If you REALLY want to be secure, use FIDO/U2F keys. Pretty much the ultimate secure solution.
From what I understand FIDO2 should make you safe against phishing attack. Kraken does support FIDO2 but only for sign-in (not for trade 2FA for example). Google Auth and Yubikey OTP aren't protected against phishing attacks.
This is the best answer and I’m shocked there is only one comment talking about that. And yes, 2 different keys are a must, that way you have a backup if you lose one. You can buy Yubico Security Keys which are half the price of Yubikeys and works in 99% of the cases. The exception was Kraken, they’re using OTP instead of FIDO for what they’re calling the master key, but for a few weeks now you can use multiple login keys so no need for the master key anymore. And don’t forget to also secure your email account.
RETRO [GO], FIDO [GO], Guidance [GO], Control [GO], TELCOMM [GO], GNC [GO], BITCORN [GO]
I’ll give an example from years ago. I bought a stock/GNTX. I rode it thru multiple splits and had a low basis. Hadn’t bought any for a couple of years and saw an extreme under value. Bought a large amount and sold that amount about 6 months later. I pd a higher tax rate on the sale of that 1000 shares but I paid less taxes because my cost basis was $20 (LIFO) vs $2 (FIDO) Example…I sold at $30. $10 profit per share vs $28 profit per share. See the #’ difference?
I got a google FIDO key. It does bluetooth in limited circumstances and additionally I plugged in one of those magnetic cable connectors. Pretty convenient.