I'm wondering what folks who are more involved with infosec and have their fingers on the pulse are thinking for best devices and practices at this time.
From my perspective, modern computing has made MFA a requirement for pretty much everything. I'm not a fan of app-based as it is too fragile and increases possible attack surface.
When it comes to HW keys, I see a few factors:
Physical manufacturing location/supply chain
Source code access
Third-party certification
The first one is fairly straightforward - do you have trust in the place of manufacturer and the components used? Or, is there some other philosophical reason (ex. labor conditions)?
The second and third are a bit less clear. It seems to me that the more open the source, the more auditable and verifiable, however, this seems to be inversely related to the chance that a device is certified by the FIDO Alliance. I'm not sure if this is due to it being a commercial working group or costs involved being more likely to be prohibitive for OSS/OSHW projects. Any other certifications recommended?
While I would rather the verifiability of open-source, it seems like Yubico's offerings might be winning out in the other categories for the price. Any thoughts?
YubiKeys are pretty great. I use it. I hate when you have to authenticate via sms, and apps are slightly better.
If you get a YubiKey, you can use it to authenticate into your password manager. I know some people who do only that and they use the randomize password function that’s long and would never be human memorizable.
If you don’t do that, support for the key is listed on their website. There’s enough support on various platforms to make it worth it. But I was surprised the list was so small. I do wish more financial institutions would get with it. Most of my banks only do sms.