[kwlug-disc] MFA security keys

[Paul Nijjar]

There are Yubikeys, which are the market leader. I had a Yubikey 5
(the black one) and a Yubikey Security key (the blue one). 

I now need to get additional keys for myself. The default choice is a
Yubikey but I am not sure whether to consider others (NitroKey,
SoloKey, Thetis, OnlyKey, Token2 key). 

Requirements:
- USB-A 
- WebAuthn/FIDO2 support
- Durable so it won't break if I have it on a wallet
- Just works without me needing to sysadmin a hardware key.

Nice to haves:
- OTP (One time password) support? 
- Different colors so when I have multiple keys I don't mix them up
- No NFC if possible
- No biometrics. Making contact with the button is good.

There are some open-source security keys. I am mostly indifferent to
this. 

Price is a consideration but not the primary consideration. I don't
want to spend more than $100CAD on a key. 

OTP is strange. Yahoo mail is broken garbage for MFA. OTP is supposedly
supported but did not work, and I could not use the Yubikey 5 at all
because it would not fall back to WebAuthn. So I am not securing Yahoo
Mail. (I think WebAuthn did work on the Yubikey Security Key.)

When given the choice I prefer Webauthn. However, there are situations
where OTP has proven necessary. So maybe I am looking at getting some
keys with OTP support and some keys without. 

The downside to another Yubikey Security key is that they are now
black, and all include NFC. 

The downside to another brand is that I do not know what is
trustworthy. The SoloKey here looks nice because you can get colored
sleeves as well, but I do not know whether this is a good choice or
not: https://solokeys.com/collections/all/products/solo-2a-security-key-built-with-trussed%C2%AE

Has anybody experimented with these alternative keys? What have your
experiences been? Are these now commodities that all Just Work, or do
I have to be careful?

Are there other things I should be considering?

- Paul